ClawHub
Back to skill

Security audit

Technical Deep Analysis

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Chinese technical-analysis report framework with no evidence of hidden execution, credential access, or data exfiltration.

Install this if you want a Chinese technical-analysis report workflow. Before using it, confirm that broad requests like technical or industry analysis should invoke the skill, set the desired output language, and avoid putting confidential internal information into generated reports unless your workspace is authorized for it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are overly broad and overlap with normal analytical requests such as '技术分析' and '行业分析,' which can cause the skill to activate in situations the user did not intend. In an agent system, unintended invocation can alter model behavior, route tasks through an unexpected methodology, or pull in additional instructions and file dependencies, increasing the risk of mis-execution and instruction-scope confusion.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The template is entirely written in Chinese and strongly steers report generation toward Chinese output without any visible mechanism for user language preference or opt-in. This can cause unintended language mismatch, reduce usability, and lead agents to ignore user-requested output language, which is a real prompt-quality and policy-compliance issue even if it is not a classic security exploit.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.