ClawHub

traffic-law

Security checks across malware telemetry and agentic risk

Overview

This is a local traffic-law document parsing skill that reads user-selected Word documents and writes parsed outputs, with no evidence of exfiltration, credential use, persistence beyond output files, or destructive behavior.

Install only if you need local traffic-law document parsing or exam-answer templates. Run it on a specific trusted folder, choose output paths deliberately, and avoid sharing the generated JSON, Markdown, or raw text files if the source documents contain private legal, case, or exam information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are broad enough to match generic legal-information or document-extraction requests, increasing the chance the skill activates outside its intended narrow traffic-law document scope. In context, this is more dangerous because the skill also implies file access and batch processing, so over-broad invocation could lead to unnecessary access to local documents or unintended answer generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file locations section describes source and output paths, but the skill does not clearly warn users that it may batch-process many files and persist extracted content to disk. Because these are legal documents that may contain personal or case-sensitive information, silent bulk reading and writing increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes extracted exam content to disk as a raw text file and also saves a generated answer document without any explicit consent prompt, retention control, or sensitivity warning. In this skill context, exam papers and legal/education documents may contain personal, confidential, or regulated information, so silent persistence increases the risk of data leakage through shared directories, backups, logs, or later unauthorized access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal