ClawHub
Back to skill

Security audit

域名价值分析

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed domain-value analyzer with a local helper script and no evidence of hidden data access, persistence, or destructive behavior.

Install this if you want a simple heuristic domain valuation assistant. Treat its valuation as rough guidance, confirm availability and trademark/legal issues separately, and only allow Bash or WebFetch use when you clearly asked for domain analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README says the skill can be triggered by simply mentioning a domain name in normal conversation, which is an overly broad activation pattern. That can cause unintended invocation during unrelated chats, leading to surprise tool use, unwanted processing of user input, and reduced user control over when the skill runs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "这个域名怎么样" is broad and likely to match many ordinary conversations about domains, causing the skill to activate when the user did not explicitly request valuation. Over-broad activation can lead to inappropriate tool use, context hijacking, and reduced reliability because the agent may switch into this skill for loosely related requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Using patterns like TLD plus domain (for example, mention of .com or .io) is too ambiguous because such strings appear in many contexts unrelated to domain valuation. This can spuriously activate the skill and potentially invoke WebFetch or Bash-based analysis on irrelevant input, increasing the chance of unintended actions and poor routing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.