ClawHub

HouseBuying-CN 国内买房全流程助手

Security checks across malware telemetry and agentic risk

Overview

This is a coherent China-focused home-buying guide with a local calculator script, but users should verify tax and loan outputs before relying on them.

Install only if you want China-focused home-buying guidance. Treat the included tax, fee, and mortgage numbers as estimates, confirm city-specific rules with banks or official agencies, and be especially careful with the personal income tax exemption because the script does not separately ask whether the seller's home is the family's only housing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real logic flaw in a finance-related calculator: the code grants personal income tax exemption solely when `years_owned >= 5`, while the comment and real-world rule require an additional 'only housing' condition. In the context of a house-buying assistant, users may rely on this output for transaction budgeting, causing them to materially underestimate closing costs and make poor financial or contractual decisions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad and cover many common housing-related terms, which can cause the skill to activate in situations where the user did not intend to invoke a specialized house-buying workflow. Overbroad activation can lead to irrelevant, localized, or overly prescriptive advice being injected into benign conversations, increasing the risk of confusion or bad decisions in a high-stakes financial domain.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill is explicitly localized for domestic Chinese home-buying and Chinese-language operation without any opt-in or jurisdiction check. In a regulated, location-sensitive area like real estate, automatically applying China-specific assumptions on taxes, loans, hukou, or school-district rules can mislead users in other locales and produce materially incorrect financial or legal guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal