ClawHub

reportgama

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed public-source market research report generator, with broad web collection that fits its stated purpose.

Install only if you want broad public web research for market reports. Use an isolated Python environment, review the missing referenced scripts before trying the command examples, and confirm country, product category, language, research depth, source types, and output path before allowing a long multi-source run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very generic phrases such as '深度市场调研报告' and '[国家]+[品类] 市场调研报告', which can cause the skill to activate during ordinary conversation rather than only on explicit user intent. In this skill, accidental activation is more sensitive because execution leads to broad external collection across search engines, news sites, e-commerce platforms, and social platforms, increasing privacy, compliance, and unintended network activity risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The overview emphasizes report generation capability but does not clearly warn users that the skill performs wide-ranging external collection from many public websites and social/community platforms. This reduces informed consent and can mislead users into triggering substantial scraping, monitoring, and outbound requests without realizing the breadth of data access involved.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The workflow hard-codes Russian as the extracted language for a Russia-related request without asking the user to confirm language preferences or output constraints. While not directly a code-execution flaw, this can cause unintended cross-language querying and broader source collection than the user expected, which is more concerning here because the skill automatically performs multi-source external research.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal