ClawHub

ZeeLin Deep Research 深度研究

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent ZeeLin research helper, but it sends user prompts to an external service and can automatically create/share Feishu documents or temporary report files without clear consent and cleanup boundaries.

Install only if you are comfortable sending research prompts and generated reports to ZeeLin and using a DESEARCH_API_KEY. For Feishu use, be aware the skill may create a Feishu document and write the generated report into it; confirm that is acceptable for confidential research, and manually clean up temporary report files if your environment retains /tmp contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill expands from research retrieval into creating and populating Feishu documents with externally generated report contents. That broadens the capability surface to third-party workspace modification and data propagation, which can expose sensitive user prompts or generated content into a collaboration platform without explicit consent and exceeds the minimal privilege implied by the manifest.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs sending user research queries, session identifiers, and related content to an external API but does not provide a clear user-facing disclosure or consent step. In a research assistant context, prompts may contain proprietary business, personal, or confidential information, so silent third-party transmission materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill downloads generated reports to local temporary storage and forwards them without warning users about local persistence, file exposure, or cleanup. Research reports can contain sensitive business or personal data, and temporary files in shared or retained environments may be accessible longer than expected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal