ClawHub

昵称专家

Security checks across malware telemetry and agentic risk

Overview

This nickname skill has no code or system access, but it pressures users to disclose gender before helping, which is unnecessary for generating nicknames.

Review before installing. The skill is not a malware or system-access concern, but it may create uncomfortable or coercive interactions by repeatedly asking for gender. Consider editing it so gender is optional, users can decline without pushback, and nickname generation can proceed from preferred style, context, tone, or examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill makes gender collection a mandatory prerequisite for a general nickname-generation task, even though gender is not necessary to generate useful suggestions. Requiring and repeatedly soliciting sensitive personal data increases privacy risk and can pressure users into disclosing information they do not want to share.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file claims to respect gender identity, but its earlier instructions tell the assistant to keep pressing until it gets a gender answer and frame choices in a coercive, often binary way. This contradiction makes the privacy/safety statement ineffective and can lead to exclusionary or harassing interactions with users who do not identify within those constraints or do not wish to disclose gender.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
Forcing gender collection before proceeding is a harmful instruction design choice because it conditions service on disclosure of sensitive personal information and conflicts with the file's own commitment to respect identity and preference. In practice, this can produce coercive interactions, mishandle non-binary users, and normalize unnecessary collection of personal attributes in a low-risk creative task.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to persistently press for the user's gender encourages collection of sensitive personal data despite reluctance, which is inappropriate for the skill's purpose. The context makes this more dangerous because nickname generation does not require this data, so the collection is unnecessary, intrusive, and likely to erode trust or cause user distress.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal