agclaw

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to be a coherent AppGrowing/YouCloud advertising-analysis connector, but users should understand that prompts are sent to an external service.

Install only if you trust AppGrowing/YouCloud with the prompts you submit and are comfortable configuring YOUCLOUD_API_KEY. Avoid sending secrets, customer personal data, unreleased campaign details, or confidential business material unless your organization permits that external processing.

SkillSpector (2)

By NVIDIA

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger conditions are broad enough that ordinary user phrases like '分析素材' or '投放分析' may activate the skill unintentionally. Because this skill sends user input to an external API and may continue conversation state via session_id, accidental activation can cause unintended data disclosure and confusing behavior without clear user consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs sending user input and possibly prior session context to a third-party API, but it does not provide a clear user-facing notice that their content will leave the local assistant environment. This creates a real privacy and compliance risk, especially if users include sensitive business, marketing, or personal data in follow-up analysis requests.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal