ClawHub
Back to skill

Security audit

易软智联数据交互技能

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed EasySoft reporting skill that handles sensitive business credentials, with a trigger-scope caution but no evidence of hidden or malicious behavior.

Install only if you trust the publisher and need EasySoft report access. Use a least-privilege or read-only EasySoft account where possible, confirm where the runtime stores credentials, and avoid entering administrator credentials. Be aware that generic report requests could invoke this skill, so confirm it is accessing EasySoft before providing credentials or running queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description uses very broad business terms such as '报表', '数据查询', '欠费', '应收', '实收', and '月报', which can cause the skill to activate on many generic finance or reporting requests that were not meant for this EasySoft integration. Because this skill prompts for and stores sensitive credentials, unintended invocation increases the chance of credential phishing, accidental disclosure into the wrong skill context, or unnecessary access to sensitive tenant/accounting data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, commonly used business terms such as '报表', '数据查询', '欠费', '应收', '实收', and '月报', which can cause the skill to activate in unrelated conversations. Because this skill collects and uses sensitive enterprise credentials and queries business data, accidental invocation increases the risk of unnecessary credential prompts, unintended data access, and user confusion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.