ClawHub

city-walker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Chinese city-walking route planner, with the main caveat that it may activate on broad walking or nearby-exploration requests.

Install this if you want a Chinese-language assistant for city stroll and local exploration routes. Be mindful that it may trigger on casual phrases like wanting to walk around or explore nearby, and only provide a current location, hotel, workplace, or start point when you are comfortable using that information for POI search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description uses very broad trigger phrasing such as '逛逛城市' and '探索附近', which overlaps heavily with ordinary conversation and can cause unintended invocation. While not a code-execution issue, overbroad activation can route users into an unrelated skill, causing confusing behavior, unnecessary data collection such as location/context gathering, and reduced trust in the agent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger scenarios are open-ended and lack clear boundaries or exclusions, so common requests like '附近有什么好玩的' or '今天想出去走走' could match many unrelated intents. This increases the chance of accidental activation and inappropriate handling of user requests, especially because the skill may then prompt for location and build itineraries the user did not actually request.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad and overlaps with common conversational phrases like wanting to walk around, explore nearby, or find somewhere to stroll. That can cause unintended skill invocation, which is a real security and safety issue because location-sensitive recommendations may be generated when the user did not explicitly intend to use this skill.

VirusTotal

No VirusTotal findings

View on VirusTotal