ClawHub

Wangdongjie Cfo Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CFO advisory skill with financial decision-support risk, but it does not run code, request credentials, persist data, or take privileged actions.

Install from the reviewed ClawHub package when possible. Use this skill as decision support for CFO, IPO, fundraising, M&A, and finance-strategy questions, but verify claims and consult qualified legal, accounting, tax, or investment professionals before acting on high-stakes recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README describes activation in very broad terms: '只要在 WorkBuddy 对话中触发相关场景' and then lists many common finance-related scenarios without clear boundaries, constraints, or explicit trigger logic. This can cause the skill to activate in unintended contexts and provide authoritative CFO-style guidance when the user did not explicitly request this specific skill, increasing the risk of prompt hijacking of unrelated conversations or overreach into sensitive financial decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal