ClawHub

Xiao Chuang You Health

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Chinese wellness skill with broad health advice, but it does not install code, request credentials, access files, persist data, or hide unrelated behavior.

Install is reasonable from an agent-security perspective. Use it only for general wellness suggestions, be aware it may activate on broad everyday health or food terms, confirm any personal health assumptions before following advice, and consult a clinician for severe, persistent, worsening, pregnancy-related, chronic-condition, medication-related, or unusual symptoms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation keywords are overly broad and overlap with common everyday language such as eating, sleeping, feeling tired, or asking what to cook. This can cause the skill to trigger outside its intended scope and inject health guidance into unrelated conversations, increasing the chance of unsolicited or contextually inappropriate advice.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill gives behavioral and body-directed advice involving穴位, 导引术, 敲胆经, 艾灸, sleep adjustment, and food-therapy recommendations, but the safety language is limited to avoiding formal diagnosis and telling users to seek care only for acute conditions. Without clearer risk warnings, contraindications, red-flag escalation, and boundaries for vulnerable users, users may follow advice that delays medical evaluation or causes physical harm from inappropriate self-treatment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal