ClawHub

电商滋补品详情页设计

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent ecommerce product-page workflow, but users should be careful with its watermark-removal guidance and local export behavior.

Install only if you need a Chinese ecommerce detail-page workflow for tonic or health-product listings. Use the export script with a deliberate output folder, review all health and advertising claims manually, and do not remove watermarks or alter images unless you own the rights or have clear authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill includes explicit watermark removal instructions using image inpainting even though its stated purpose is ecommerce product-page design. Watermark removal can facilitate copyright circumvention, provenance tampering, or deceptive reuse of third-party assets, making this materially riskier than ordinary image editing guidance.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad enough to match common requests like '做详情页' or '产品详情页', which can cause the skill to activate outside its intended narrow context. Over-broad activation increases the likelihood that risky behaviors in the skill, including shell usage and image modification guidance, are invoked when not necessary or expected.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The 'when to use' section is ambiguous and overlaps with general product-page design requests, so the skill may be selected for unrelated tasks. In context, that matters because the skill contains sensitive operational steps like local file writing, browser automation, and watermark-removal guidance that should not be broadly available by default.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes removing watermarks but provides no warning about ownership, authorization, or legal/compliance implications. This omission lowers friction for misuse and normalizes modification of protected source images, which can enable IP infringement or deceptive asset laundering in a commercial setting.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The export workflow writes generated files to a desktop folder without explicitly warning the user that files will be created and where they will be stored. While lower severity than the image-manipulation issues, silent file creation can surprise users, expose sensitive project names on shared machines, or clutter unintended locations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal