ClawHub

page-gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HTML page generator for literary and media works, with only minor routing and language-scope caveats.

Install this if you want a Chinese-oriented generator for standalone HTML pages about literary or media works. Review generated pages if you need a different language, stricter trigger behavior, or avoidance of the disclosed external font mirror.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad natural-language examples without explicit boundaries, so the skill may activate on loosely related requests and take over responses unexpectedly. In an agent system, over-broad activation can cause misrouting, unintended content generation, and reduced control over which skill handles a user request.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The README description is written as a fixed Chinese-language behavior without stating that output should follow user language or locale preferences. This can cause unintended language forcing, which may degrade usability, conflict with user intent, and in multi-skill systems contribute to incorrect routing or policy mismatches.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases include very broad requests such as '帮我做个XX的网页', which can match many generic web-page generation tasks outside the stated literature-work scope. This can cause unintended invocation, leading the skill to activate on unrelated prompts and potentially override a more appropriate or safer skill selection path.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal