ClawHub

Wa Quanquaner Skill

Security checks across malware telemetry and agentic risk

Overview

This coupon skill mostly does what it says, but it can activate on generic food/chat phrases and asks for broader command permissions than a coupon lookup needs.

Review before installing if you do not want a skill that may surface coupon links during broad food-delivery or meal-choice conversations. Prefer narrowing activation to explicit coupon or discount requests and removing unrestricted PowerShell permission unless there is a documented need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises very broad natural-language triggers such as '今天吃什么', '点外卖', and other common everyday requests, which can cause the agent to invoke this skill in many ordinary conversations unrelated to coupon retrieval. Over-broad activation increases the chance of unintended routing, user confusion, and opportunistic promotion of external links, especially because the skill centers on redirecting users to third-party offer pages.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description includes broad everyday phrases like '今天吃什么', '点外卖', and '叫外卖', which can cause the skill to activate in many ordinary conversations unrelated to coupon retrieval. Over-broad invocation increases the chance of unsolicited tool execution and unnecessary outbound requests to the external coupon service.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The dedicated trigger section repeats ambiguous activation keywords without constraints, again including generic phrases that are common in normal meal-planning chat. In context, this is more risky because the skill is configured to use network-capable tools, so accidental invocation can produce external requests and promotional output the user did not explicitly ask for.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal