ClawHub

夸克扫描王 文件扫描增强 - yescan scan universal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Quark image-enhancement integration that uploads user-provided images for processing and saves returned images locally.

Install only if you are comfortable sending selected images to Quark's remote service. Avoid using it on highly sensitive IDs, contracts, medical, or financial documents unless that external processing is acceptable, and periodically clean the temp output directory if local copies should not remain.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The module exposes a generic file-write primitive that decodes arbitrary Base64 and writes it to disk, which exceeds the declared image-enhancement scope of the skill. In an agent/plugin context, broader-than-necessary file-writing capabilities increase abuse potential if another component passes attacker-controlled content or an attacker reaches this method indirectly, enabling storage of arbitrary payloads on the host filesystem.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The fallback trigger activates whenever a request merely expresses a generic optimization intent, which is overly broad for a skill that uploads user-provided images to a third-party service. This can cause accidental invocation on sensitive documents or images the user did not intend to send externally, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code loads stored credentials and sends user-supplied image data to an external OCR/enhancement service without any disclosure, consent, or trust-boundary signaling in this execution path. Because the skill handles potentially sensitive documents such as IDs, exams, and contracts, users may unknowingly transmit private content off-device, creating a real privacy and data-governance risk even if the behavior is functionally intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal