ClawHub

挖券券儿

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed coupon lookup tool that fetches promotional delivery-coupon data from its own service and formats the result, with no evidence of secret access, persistence, or destructive behavior.

Install only if you are comfortable with the agent contacting waquanquaner.cn for coupon data and showing links returned by that service. Review links before opening them, and be aware that broad food-related prompts may trigger coupon suggestions even when you did not explicitly ask for a coupon.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises natural-language triggers such as broad coupon-related phrases and suggests automatic invocation behavior. In an agent context, overly broad triggers can cause the skill to run on loosely related user input, leading to unintended external network requests and unsolicited promotional output. The risk is elevated because the skill fetches remote content from a third-party domain and is positioned to auto-handle conversational queries.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The invocation examples include ambiguous everyday requests like asking what to eat today, which do not clearly express intent to retrieve coupons. In an agent environment, this increases the chance of accidental activation, causing the agent to contact the external service and inject commercial or irrelevant content into normal conversations. Because the skill is designed for automatic recognition, the broad examples materially increase misuse risk rather than being harmless documentation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger keywords include broad everyday phrases such as '今天吃什么' and '点外卖', which can cause the skill to activate in unrelated conversations. Over-broad activation increases the chance of unsolicited external web requests and link surfacing, which is risky because the skill is designed to fetch promotional content from a remote domain.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal