Security audit

今日热点

Security checks across malware telemetry and agentic risk

Overview

This skill fetches hotspot/news lists from a declared API and does not install code or run background jobs unless the user approves scheduling.

Install if you are comfortable with the skill contacting hotspot.api4claw.com when invoked. Review any generated cron command before approving scheduled updates, especially the schedule, channel, recipient, and message text. Consider narrowing or avoiding the generic "热点" trigger if accidental activation would be disruptive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase "热点" is extremely broad and can match many ordinary conversations unrelated to this skill. That creates over-invocation risk: the skill may activate in unintended contexts, causing unnecessary network requests, confusing responses, or steering the conversation into this skill when the user meant something else.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.