ClawHub

花叔Design

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent design-production workflow with disclosed network, file-generation, and optional API/TTS behavior, but no evidence of hidden exfiltration, destructive actions, or deception.

Install only if you want an agent to perform design-production work that may search the web, download brand assets, create project files, run Playwright/ffmpeg tooling, and optionally call TTS or LLM APIs. Avoid entering long-lived API keys into generated browser prototypes, review any downloaded third-party assets for licensing, and keep the optional personal asset index limited to information you are comfortable having the agent use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The SVG imports fonts from fonts.googleapis.com, which causes a network request when the asset is rendered in a capable environment. For a local banner asset, this adds unnecessary external dependency, metadata leakage, and non-deterministic rendering behavior, though it is not direct code execution.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The file imports Google Fonts from an external origin, which causes network access when the static HTML is opened. In a design showcase this is not code execution, but it does create unnecessary third-party requests, metadata leakage, and dependency on external availability for a file that otherwise appears self-contained.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
This bundled static mockup pulls third-party resources from Google Fonts and unpkg at render time, creating unnecessary supply-chain and privacy exposure for an asset that appears intended to be self-contained. If those external resources are modified, unavailable, or used for tracking, the showcase can break or load untrusted code despite being only a design artifact.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The HTML prototype loads third-party resources from Google Fonts and unpkg at runtime even though the page is a local mockup. That introduces an external supply-chain and privacy surface: a compromised CDN/resource update could change page behavior, and loading the page leaks user metadata such as IP address and user agent to third parties.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
This HTML showcase loads fonts from Google Fonts and JavaScript from unpkg at runtime, which creates unnecessary external network dependencies for a local design prototype. Even if the imported resources are common, they expose viewers to third-party tracking, content drift, and potential supply-chain compromise if the CDN content changes or is tampered with.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
The document discloses a developer-local absolute filesystem path, which is unnecessary for end users and leaks internal environment details such as username, directory structure, and project organization. While not directly exploitable on its own, this kind of information disclosure can aid reconnaissance, social engineering, or correlation with other leaks.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README explicitly directs the agent to search for, download, and process brand assets and third-party images from external sources, but it does not require clear user consent or disclosure before external network access occurs. In an agent setting, this can lead to unintended data sharing, fetching copyrighted or sensitive brand materials, and surprising users with outbound requests tied to their prompts or proprietary brands.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs the agent to search official brand sites, download assets, scrape colors, and write a local `brand-spec.md` file, but it does not warn users that this will perform network access and modify workspace files. In an agent environment, that can lead to unexpected external requests and file creation/overwrite without explicit user consent, especially when a brand name appears in an otherwise normal design request.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains very broad everyday phrases such as requests to 'make something nice,' 'review,' 'visualize,' or 'pick a style,' which can cause the skill to activate outside its intended scope. In an agent system, over-triggering is dangerous because it can redirect unrelated tasks into a high-authority workflow that performs web searches, file generation, asset handling, and external-tool suggestions without the user explicitly asking for this skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The fallback-mode activation rules are phrased broadly enough that many ordinary ambiguous requests could be swept into this skill's advisory mode, even when the user did not ask for design-direction consulting. Because this mode then expands into multi-phase generation, showcase selection, asset lookup, and demo creation, an unintended invocation can lead to unnecessary tool use, unwanted file creation, and scope takeover from other more appropriate skills.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The component broadcasts slide navigation state with postMessage using the wildcard targetOrigin ('*') to both the current window and any parent frame. While the payload is not highly sensitive by itself, embedding contexts can silently receive presentation progress data, and the pattern normalizes cross-origin disclosure without origin restrictions or consent. In a design/prototyping skill that may be embedded in external tooling, this becomes more relevant because demos are likely to run inside iframes or host shells.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The phrase stating the skill will 'automatically read' a personal asset index implies background access to user-specific data without clearly documenting when, why, or how broadly that data is consumed. In a design skill that may process personal identity, contact, product, and local path information, this ambiguity can lead to overcollection, privacy surprises, and unintended exposure of sensitive local metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to call the Anthropic API directly from browser HTML using a pasted API key, but it does not clearly warn that prompts and responses are transmitted from the client environment to a third-party service and may be exposed via browser tooling, page scripts, logs, or an untrusted prototype context. In a skill that generates runnable HTML demos, this guidance can normalize unsafe key handling and lead users to put sensitive prompts or credentials into browser-based prototypes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends arbitrary narration text and voice parameters to an external TTS helper process, which in this skill context likely means forwarding content to a third-party service. That creates a real data-exposure risk because user-supplied scripts may contain sensitive or proprietary text, and this file provides no consent gate, classification check, or warning before transmission.

Ssd 4

Medium
Confidence
77% confidence
Finding
The origin story states that the author had an agent deconstruct another product, including circulating system prompts, and turn that into a local skill. That normalizes prompt extraction and derivative reproduction of proprietary instructions, which can encourage agents or users to exfiltrate confidential prompt material or violate provider terms when applied beyond this narrative example.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal