ClawHub

File Organizer Zh 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This file organizer matches its purpose, but it can automatically move many files from broad user folders without a preview or confirmation.

Install only if you are comfortable with a skill that can reorganize Desktop, Downloads, Documents, or a specified Windows path immediately after a matching prompt. Test it on a copy or small folder first, keep backups for important files, and avoid broad prompts unless you intend it to move the folder’s top-level files into category subfolders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords are very broad everyday terms like “整理” and “分类,” which can cause the skill to activate unintentionally during unrelated conversations. For a skill that can reorganize files and remove duplicates, accidental invocation could lead to disruptive or irreversible file operations in the wrong directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises file reorganization and duplicate cleanup but does not warn users that these actions can move, rename, or delete files. In this context, missing warnings materially increases the chance of user surprise, unsafe consent, and data loss if the tool acts on important folders.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill performs file-moving operations immediately after parsing a path from the user message, with no dry-run preview, confirmation step, or safeguard against accidental invocation. Because it reorganizes a real user directory in place, a mistaken trigger or ambiguous request can unexpectedly relocate many files, disrupting workflows and potentially causing data loss symptoms if applications or users can no longer find moved files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal