ClawHub

Yunlv Pricing

Security checks across malware telemetry and agentic risk

Overview

This pricing-analysis skill is coherent and disclosed, but users should avoid sending confidential business details to the Yunlv API unless they trust that service.

Install only if you are comfortable using Yunlv for pricing assistance. Use a dedicated API key where possible, avoid submitting customer lists, exact margins, proprietary pricing models, or confidential competitor research, and confirm the skill is relevant before using it on broad pricing questions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list contains generic pricing phrases such as '价格分析', 'pricing strategy', and 'pricing advice' that are likely to appear in ordinary business conversations. This can cause the skill to activate outside the user's intent, unnecessarily exposing conversation content to the skill's instructions and potentially prompting external API use when the user only wanted general discussion.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description uses broad, generic activation criteria such as whenever a user needs pricing strategy or market reference advice, without tight boundaries on what inputs are appropriate or what data should be excluded. This can cause over-invocation and increase the chance that sensitive business context is unnecessarily routed to the external pricing API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manifest declares an external API key and remote service but does not disclose that user-supplied business pricing context, competitive data, or market details may be sent off-platform. This creates a meaningful data exposure risk because users may provide commercially sensitive pricing strategy information without informed consent or data-handling warnings.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal