ClawHub

China Bid Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Chinese bid and tender document generator, with expected web lookup and document output behavior.

Use this skill for drafting support, not as a substitute for legal, procurement, or factual review. Avoid giving confidential pricing, tender strategy, regulated data, or internal organizational materials unless you are comfortable with the agent using that content in generated files and, when web-search or AI services are enabled, potentially sending related context outside the local environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrases are very broad natural-language requests such as '帮我写一份IT项目的投标书' and '写一份政府招标文件', which overlap heavily with ordinary user requests. In an agentic environment, this can cause unintended auto-activation of the skill for generic writing tasks, leading the system to perform web lookup or file-generation actions without the user clearly opting into this specific tool.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises internet search and document output capabilities, but the user-facing description does not clearly warn that external retrieval may occur or that files will be written. This weakens informed consent and can expose sensitive procurement, pricing, or organizational data to external services or produce local artifacts unexpectedly, which is especially sensitive in bidding workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal