ClawHub

雄韬易经 - 做生意好帮手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed business-analysis reference skill with only low-impact local report generation when requested.

Install only if you want this business-decision analysis framework. Invoke it explicitly with /雄韬易经 for relevant business questions, and when asking for a report or PDF, confirm where the generated HTML file will be written and avoid overwriting important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill instructs the agent to write a local HTML file when the user requests a report or PDF, but it does not require explicit user-facing notice about file creation details, output path, or overwrite behavior. This can lead to unexpected local side effects, accidental overwriting, or user confusion about where artifacts were created, especially in environments where filesystem actions are sensitive.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include very generic requests such as “生成报告”, “输出PDF”, and “画个卦象图”, which can overlap with ordinary user intent outside this specific skill. In an agent environment, broad triggers can cause unintended activation or tool use, leading to incorrect file generation or cross-skill confusion when the user did not intend to invoke this reporting workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage guidance tells the agent to match on broad semantic dimensions like situation keywords, business stage, and core contradiction without defining hard boundaries or exclusion criteria. That can cause the skill to activate on loosely related business discussions, increasing the chance of unintended invocation, context hijacking, or over-collection of user context for a specialized framework.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example phrases include common, conversational expressions such as '太卷了', '活不下去了', and '上市了然后呢', which are too generic to safely function as triggers. In a broad assistant environment, these phrases could appear in ordinary conversation and spuriously activate the skill, causing irrelevant or intrusive responses and reducing user control over tool use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal