kanshuclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed KanshuClaw API connector for creating, reading, and continuing AI novels, with no evidence of hidden code execution or unrelated data access.

Install this only if you intend to let your agent send novel titles, prompts, search terms, and generation requests to KanshuClaw. Use a dedicated revocable API key, verify the API base URL, and confirm before creating novels or generating chapters because those actions may consume daily quota.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase for continuation, such as '帮我续写下一章', is broad enough that normal conversational requests about writing, brainstorming, or discussing a story could unintentionally invoke the generation API. Because the action consumes a limited daily quota and starts an asynchronous job, accidental matches can cause unwanted state-changing operations and user surprise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal