ClawHub

Huo15 Openclaw Brand Protocol

Security checks across malware telemetry and agentic risk

Overview

This is a brand-research instruction skill that creates a local brand specification from official sources, with no hidden execution or credential use found.

Install this if you want help extracting brand visuals into a local brand spec. Before running generated curl, Playwright, ImageMagick, or grep commands, verify the URL is official and public, the output path is expected, and you have rights to use the downloaded brand assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description and trigger wording are broad enough to match common design requests such as brand research, brand spec creation, or visual guideline extraction without tightly constraining when this skill should activate. This can cause unintended invocation of the skill in unrelated or only partially related contexts, leading the agent to follow the wrong workflow and potentially fetch or direct handling of external resources when a simpler or safer skill should have been used.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Several aliases are generic terms like '品牌调研', 'brand protocol', 'brand spec', and 'VI 规范', which may appear in many benign design discussions and can spuriously activate the skill. Ambiguous activation terms increase the chance that an attacker or even a normal user can steer the agent into this skill unexpectedly, bypassing more appropriate routing and causing incorrect collection or processing behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list repeats broad phrases like '抓品牌', '品牌调研', and '视觉规范' without defining scope boundaries, exclusions, or negative examples. In practice this makes the skill easy to invoke from ordinary design conversations, increasing misrouting risk and making adversarial prompt phrasing more effective at forcing this workflow to run.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal