ClawHub
Back to skill

Security audit

Element UI Vue2

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Element UI Vue 2 reference skill, with some broad routing and Chinese-language content but no hidden execution or sensitive access.

Install this if you want Element UI Vue 2 documentation available to your agent. Be aware it may be invoked for broad Vue 2 UI requests and much of the reference content is Chinese, so specify another library or output language when that matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger conditions are overly broad and include generic frontend development scenarios such as developing Vue 2.x pages, using common `el-` components, or needing standard UI elements. This can cause the skill to auto-activate in many routine tasks where it may not be specifically intended, increasing the chance of unintended context injection, workflow interference, or misuse of the skill’s guidance.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation text is broadly scoped ('Invoke when user needs Descriptions ... in Vue 2.x project') and lacks tighter routing constraints, which can cause the skill to activate for loosely related requests. In an agent system, over-broad activation can misroute user tasks, increase unnecessary tool exposure, and reduce the chance that a more appropriate skill is selected.

Natural-Language Policy Violations

Low
Confidence
77% confidence
Finding
The description mixes Chinese-specific component naming and links without indicating that language/locale selection should follow user preference. This can steer interactions toward a fixed locale context, potentially degrading usability, causing incorrect assumptions about the user's environment, or biasing retrieval toward Chinese-language references when not requested.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation text says to invoke when the user 'needs Progress 进度条 in Vue 2.x project,' which is a broad trigger without constraints such as requiring Element UI, desktop context, or explicit user preference for this component library. Over-broad routing can cause the agent to select this skill in situations where it is not the best fit, leading to irrelevant or lower-quality guidance and increasing the chance of unintended behavior across unrelated requests.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill metadata and content are written to serve Chinese-language Element UI documentation ('Progress 进度条', Chinese URL path, and Chinese descriptions) without indicating that output language should follow the user's preference. This can force a locale on users who did not request Chinese, causing mismatched responses, confusion, and incorrect skill routing based on language rather than user intent.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill metadata and content are written entirely in Chinese and explicitly frame usage around that locale, which can steer an agent to respond in a specific language without checking the user's preference. This is not code-execution dangerous, but it can degrade usability, cause misunderstanding, and override user intent in multilingual contexts.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The frontmatter description explicitly states the skill should be invoked when the user needs '自定义主题' in a Vue 2.x project, which hardcodes Chinese-language behavior without any indication that the user's language preference was requested or detected. This can cause the agent to respond in an unexpected language, degrading usability and potentially causing misunderstandings in technical guidance.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The frontmatter description says the skill should be invoked when a user needs '国际化 in Vue 2.x project,' which is broader than the skill's stated scope of Element UI Vue2 desktop components. That can cause the agent to select this skill for generic Vue 2 i18n tasks unrelated to Element UI, increasing the chance of irrelevant or unsafe guidance being applied in the wrong context.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The frontmatter description explicitly mixes and emphasizes Chinese-language output ('快速上手') without indicating that locale should be selected based on user preference. In an agent skill, hard-coding a language/locale can cause the assistant to respond in an unintended language, reducing usability and potentially causing misunderstandings in setup or security-relevant instructions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description says to invoke the skill whenever the user needs a DateTimePicker in a Vue 2.x project, which is a broad routing condition rather than a tightly scoped trigger. Overbroad invocation rules can cause the agent to select this skill in contexts where it is only partially relevant, increasing the chance of inappropriate tool use, confused responses, or accidental leakage of context into an unnecessary skill.

Natural-Language Policy Violations

Low
Confidence
81% confidence
Finding
The skill metadata and document description explicitly anchor the content to Chinese-language documentation without indicating that this should occur only when the user wants Chinese output or Chinese references. This can steer an agent toward a language context the user did not request, causing usability issues, misunderstanding, or policy drift in multilingual environments.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal