ClawHub
Back to skill

Security audit

HPM Solver

Security checks across malware telemetry and agentic risk

Overview

This is a local HPM game purchase-combination calculator, with only minor cautions around broad trigger wording and an optional external download link.

Use the reviewed files as an offline HPM calculator. Avoid downloading or running the linked tar.gz unless you trust the publisher or can verify its contents separately, and avoid entering sensitive personal information into local price or history fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The documentation embeds a direct external download link to a tarball, which expands the trust boundary beyond the reviewed skill text. Even if the current markdown is harmless, users may fetch and run unreviewed code or assets from that URL, creating a software supply-chain risk that is not necessary for understanding the solver logic.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The top-level description includes broad trigger phrases such as '购买组合' and '残值计算' that are not tightly scoped to the HPM game context. In an agent system, overly generic activation terms can cause the skill to trigger on unrelated user requests, leading to unintended behavior, incorrect tool selection, or unwanted data handling outside its intended domain.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The dedicated trigger section lists activation phrases but does not define boundaries, exclusions, or disambiguation rules. This makes accidental invocation more likely, especially because several phrases are generic calculation terms; in agentic contexts, ambiguous routing can cause the wrong skill to process requests and produce misleading or inappropriate outputs.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal