ClawHub

Character Analysis

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only entertainment personality-analysis skill with privacy and advice cautions, but no hidden code, persistence, credential use, or automatic data transfer.

Install only if you are comfortable using it as entertainment. Avoid uploading identifiable or sensitive photos, do not rely on its personality or investment suggestions for important decisions, and avoid sharing private images or financial details through the listed WeChat contact unless you independently trust the recipient.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs users to move the interaction off-platform via a personal WeChat account, which is unrelated to the core on-platform functionality. This creates unnecessary trust, privacy, and safety risks because users may be exposed to unmoderated contact, data collection, social engineering, or monetization outside platform safeguards.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file contains behavioral economics and investment-guidance content that is materially outside the declared scope of a face/hand-based personality-analysis skill. This mismatch can mislead users and downstream systems about what the skill does, and it increases the risk that unvetted financial advice is delivered under an entertainment/personality-analysis label.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file content does not support the skill's stated behavior of deriving personality insights from facial and hand features; it only contains generic behavioral psychology material. This creates a specification–implementation mismatch that can mislead users about how sensitive biometric inputs are used, undermine informed consent, and mask unsupported or deceptive profiling behavior in the broader skill.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file explicitly instructs '男左女右' (men use left hand, women use right hand), which imposes a gender-based rule without consent, accommodation for non-binary users, or any evidence-based justification. In a personality-analysis skill, this can lead to exclusionary treatment and discriminatory UX, especially if the agent applies different analysis paths based solely on inferred or declared gender.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal