ClawHub

super-calculator

Security checks across malware telemetry and agentic risk

Overview

This is a local calculator skill with broad trigger wording but no evidence of hidden access, credential use, network calls, persistence, or destructive behavior.

Install only if you want a broadly triggered local calculator. Be aware it may activate on many number-related prompts, and treat finance, health, and exchange-rate outputs as reference calculations that should be verified for important decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger guidance is extremely broad ('describe your calculation need in natural language'), which can cause the skill to activate on many ordinary conversations involving numbers, dates, money, or comparisons. Over-broad activation increases unintended invocation risk, potentially routing user requests to the wrong skill and causing privacy or reliability issues.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The slogan 'Trigger with one sentence, calculate anything' markets the skill as universally invocable from vague input, which weakens clear activation semantics. While not exploit code, this kind of wording encourages permissive matching and can contribute to accidental triggering or intent confusion in agent orchestration.

Vague Triggers

High
Confidence
92% confidence
Finding
The skill declares an extremely broad activation scope for 'any calculation-like expression,' which increases the chance of unintended invocation during normal conversation. Over-broad triggering can cause routing hijacks, unexpected processing of user input, and interference with more appropriate skills, especially for finance or health-related prompts where accuracy and context matter.

Vague Triggers

High
Confidence
95% confidence
Finding
The direct-trigger keyword list contains generic terms such as '计算', '多少钱', and '换算' without negative conditions or contextual constraints, making accidental activation likely. This can misroute ordinary user requests, degrade system reliability, and in sensitive domains like loans or health metrics may present misleading outputs without confirming required inputs.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal