ClawHub

质性主题分析

Security checks across malware telemetry and agentic risk

Overview

This is a local qualitative-analysis skill that reads user-specified research files and creates analysis outputs, with privacy considerations but no evidence of hidden or unsafe behavior.

Install only if you are comfortable letting the agent read the specific research files you provide and include excerpts in derived coding tables or reports. Use a dedicated folder, remove unrelated files, anonymize participant details where possible, confirm consent for AI-assisted analysis, and store generated outputs as sensitive research data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation criteria are broad enough that the skill could trigger on generic mentions of qualitative analysis or coding, causing the agent to request or process local research files when the user may not have intended that workflow. In a skill that reads local paths and produces derived outputs, overbroad triggering increases the risk of unintended sensitive-data handling and accidental file access escalation through normal conversation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The description says the skill analyzes locally stored qualitative materials and generates artifacts, but it does not prominently warn that this involves reading user-specified local files and writing output files. Because these materials are likely to contain sensitive interview, observation, or research data, insufficient disclosure can lead users to authorize processing without understanding the privacy and filesystem implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal