ClawHub

Zhuge Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent football prediction skill with local history files and documented external sports and LLM API use, but users should understand the credential, LLM, and local logging tradeoffs.

Install only if you are comfortable giving this skill sports-data and optional LLM API keys. Avoid the relay provider or custom LLM base URLs unless you trust that service, because prompts and keys may pass through it. Treat predictions as local records stored under the skill directory, review exports before sharing, and consider pinning dependencies and clearing error logs if provider failures might have written credential-bearing URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if not deps_ok:
        print()
        if confirm("现在自动安装依赖?", default=True):
            os.system(f"{sys.executable} -m pip install -q requests python-dotenv")
            print(f"  {GREEN}✓{RESET} 依赖已安装")
        else:
            print(f"  {GRAY}跳过依赖安装。手动跑: pip install -r requirements.txt{RESET}")
Confidence
91% confidence
Finding
os.system(f"{sys.executable} -m pip install -q requests python-dotenv")

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README encourages broad natural-language invocation such as asking the agent to 'run guard mode' or perform periodic result backfill, without defining narrow trigger conditions, confirmation requirements, or scope limits. In agent environments, vague activation phrasing can cause over-invocation of the skill and unintended execution of networked or persistent behaviors based on loosely related user requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The Cursor rule says the skill may be used whenever the user wants to predict matches or make structured decisions, which is far broader than the skill's actual football-prediction purpose. This kind of overbroad routing rule can cause an agent to invoke external scripts unexpectedly for unrelated decision-making tasks, increasing the chance of unintended command execution and data access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises pushing local 'crystals' to a shared pool and reusing other users' shared artifacts, but it does not clearly warn users what data may leave the machine, where it is sent, or what metadata may be included. In a skill context, silent or poorly disclosed sharing can lead to unintentional disclosure of user-generated records, predictions, or derived usage patterns.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`log_error()` persists exception text and arbitrary `context` data directly to disk, which can capture secrets, personal data, tokens, file paths, query strings, or internal system details. Because `str(exc)` and caller-supplied context are logged without redaction, sensitive information may be exposed to anyone with filesystem or backup access and may persist longer than intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --llm is enabled, the script sends derived report data to an external LLM provider via client.chat() without any explicit warning, consent flow, or indication of what data leaves the local environment. Even though the transmitted fields appear aggregate rather than obviously secret, they still disclose operational data to a third party and could violate user expectations or data-handling requirements in privacy-sensitive deployments.

External Transmission

Medium
Category
Data Exfiltration
Content
}
        if system:
            body["systemInstruction"] = {"parts": [{"text": system}]}
        r = requests.post(
            f"{self.base}/models/{self.model}:generateContent?key={self.api_key}",
            json=body,
            timeout=timeout,
Confidence
82% confidence
Finding
requests.post( f"{self.base}/models/{self.model}:generateContent?key={self.api_key}", json=

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Confidence
95% confidence
Finding
requests>=2.28

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Confidence
94% confidence
Finding
python-dotenv>=1.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
85% confidence
Finding
python-dotenv

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal