ClawHub

Dota 2 出装与打法攻略

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Dota 2 guide skill with local game data and optional public-data update scripts, with no evidence of hidden or harmful behavior.

Installers should know this is a low-risk game guide skill, but its broad trigger words may activate during general Dota conversations. Only run the update scripts when you intentionally want to refresh the local game data, since they make outbound requests and rewrite the skill's JSON files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very broad phrases such as generic Dota-related terms and natural-language queries, which can cause unintended invocation when users are speaking generally rather than explicitly invoking the skill. In an agent environment, overbroad triggers increase the chance of accidental activation, irrelevant responses, and unexpected access to the skill’s data/update paths.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The README states that the skill supports manual fetching from external public APIs and local data updates, but it does not clearly warn users that network access or local file modification may occur during maintenance or operation. This can create transparency and trust issues, and in some agent setups may lead to unexpected outbound requests or state changes.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad generic terms such as “dota” and “dota2,” which can cause the skill to activate in many unrelated conversations where those strings appear incidentally. This creates an invocation-scope problem: the wrong skill may take over user intent, leading to confusing behavior, prompt hijacking opportunities through accidental routing, or suppression of more appropriate skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal