ClawHub

行业分析·生态图谱

Security checks across malware telemetry and agentic risk

Overview

This is a file-producing industry research skill whose local writes are disclosed and aligned with its purpose.

Install this if you want an industry ecosystem report generator. Run it in the intended project/output folder and expect it to create or modify the report and session tracking files; review existing output before rerunning if overwrites matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly writes `output/{industry-slug}/02-ecosystem.md` and later updates `session.json`, but it does not require user confirmation or provide any user-facing notice that local files will be created or modified. In an agent environment, silent state changes can overwrite prior analysis, create unexpected artifacts, or mutate shared workflow state in ways the user did not intend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The standalone mode states that if no `session.json` is provided, the skill will automatically generate a minimal one. Auto-creating state files without notice broadens the write surface and can leave persistent artifacts or trigger downstream pipeline behavior based on a file the user never explicitly approved.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal