ClawHub

Gridman古立特

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent finance/tax assistant, but its installer and runtime instructions give an AI broad authority to install software, edit persistent MCP configuration, and store sensitive business context without strong review gates.

Install the knowledge-only skill only if you are comfortable with a broad finance/tax assistant reading the included Markdown references. Do not let an agent run INSTALL.md automatically; review every command, avoid piping remote scripts into a shell, verify any wheel/package source, and manually approve MCP config changes. If you enable OCR or memory, treat uploaded files, tokens, and gridman-mind outputs as sensitive financial data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide instructs the agent to fetch and execute remote bootstrap installers (`irm ... | iex` / `curl ... | sh`) as part of installing the skill. This creates a direct code-execution path from an external source that is not inherently necessary for a finance/tax skill, and if the upstream script or transport is compromised, the host running the agent can be taken over.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file tells the AI to discover local paths and write or modify MCP/client configuration files across many platforms, adding a new server entry automatically. That is sensitive local state modification which can persistently alter agent behavior and enable execution of the supplied package without a clear, explicit user review step.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file explicitly states it excludes unofficial tax-warning thresholds, then later reintroduces an unofficial industry tax-burden reference table with threshold-based usage rules. In a finance/tax skill, this contradiction can mislead users into treating non-authoritative heuristics as validated compliance criteria, causing poor self-assessment or risky tax decisions.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The update note claims unreliable threshold material was deleted, but the document still contains an unofficial tax-burden threshold table and related trigger guidance. This creates a trust and integrity problem: users may rely on the changelog as assurance that only verified rules remain, when unverified thresholds are still present.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly tells an installer AI to automatically read INSTALL.md and execute its steps, including detecting tools, installing packages, and writing MCP configuration, without requiring explicit user confirmation or describing the resulting system changes. In an agent-skill context, this creates a real risk of silent configuration modification or package installation on the user's machine, especially because the document is framed as instructions to another AI rather than to a human operator.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The guide instructs the integrator to use the user's MINERU_API_TOKEN for OCR but provides no warning about secret handling, storage, logging, or scope of exposure. In a multi-platform AI/MCP setup, omission of credential-handling guidance can lead to tokens being placed in plaintext configs, echoed in logs, or shared with tools unintentionally.

Vague Triggers

High
Confidence
94% confidence
Finding
The installation flow is designed to activate on very broad trigger phrases such as '安装 MCP' or branded terms that could easily appear in normal discussion. Because the flow includes installing software and editing configuration, accidental or adversarial triggering could cause unauthorized setup actions from an innocuous conversation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions direct the agent to write local MCP configuration files but do not require a user-facing warning that persistent local files will be created or modified. This reduces informed consent and increases the chance of silent persistence, especially dangerous because the config enables future execution of the installed package.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that an AI will 'automatically complete' uv checks, wheel installation, and MCP configuration after reading INSTALL.md, but it does not provide a prominent consent boundary, preview of changes, or warning about filesystem/environment modification. In an agent setting, this can normalize silent package installation and configuration changes, increasing the risk of unauthorized code execution, persistence, or unintended network and system effects if the installation artifact or instructions are unsafe.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The trigger list contains broad English phrases such as "Hyper Agent", "Access Flash", "Access Code", and "Access Mode" that are not uniquely tied to this skill and can match unrelated conversations. This can cause accidental invocation and prompt hijacking of normal user interactions, especially because the skill then imposes extensive behavioral instructions over the assistant's default behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The short trigger token "SSSS"/"ssss" is highly ambiguous and likely to collide with unrelated text, abbreviations, or casual input. Because the skill contains a large amount of high-priority instruction text, even a stray match could unexpectedly activate the persona and operating rules in contexts where the user did not intend to use this skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The file explicitly states broad '用途' routing guidance for questions like subsidies, local debt, and policy distortion, but does not define boundaries, exclusions, or disambiguation rules. In an agentic skill, this can cause over-routing of general political or macroeconomic discussion into a specialized governance-analysis module, increasing the chance of irrelevant, biased, or overly authoritative responses outside intended scope.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The added trigger phrases such as '零基预算', '预算改革', '预算编制', '绩效预算', '地方税改革', and '央地财政' are highly generic and lack contextual constraints. This makes accidental activation likely whenever users discuss public finance in a broad or educational sense, which can misroute requests and amplify this skill's framing beyond its intended use cases.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The '何时路由到本文件' section uses open-ended natural-language question patterns as routing criteria without any negative examples or ambiguity resolution. In practice, this encourages the system to treat broad user phrasing as sufficient evidence for selecting this module, which can lead to systematic overreach, incorrect specialization, and reduced answer quality or safety when adjacent topics are involved.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation conditions are broad natural-language phrases like '怎么提问', '帮我分析这个问题该怎么想', and generic requests for training or improving thinking. This can cause the skill to activate for ordinary user queries outside finance/tax contexts, increasing prompt hijacking of unrelated conversations and making the agent follow domain-specific framing when it was not intended.

Vague Triggers

Medium
Confidence
84% confidence
Finding
W1 uses broad natural-language triggers for a high-impact workflow that can initiate multiple audit actions. Without an explicit confirmation gate, ordinary conversation about accounts receivable could unintentionally route into a semi-automated audit sequence and cause inappropriate tool invocation or premature business conclusions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Allowing the user to request 'run the complete bank audit' in one shot creates a risky path for chaining several sensitive operations without sufficient checkpoints. In a finance/audit skill, this increases the chance of overbroad processing, accidental generation of audit artifacts, and misuse of bank-related data or outputs based on misunderstood inputs.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The W6 trigger terms are generic financial phrases that commonly appear in ordinary discussions, making unintended activation plausible. Because month-end close actions can cascade across reconciliations, accruals, cutoff checks, and reporting, accidental routing could lead to unnecessary processing and misleading finance outputs.

Vague Triggers

High
Confidence
94% confidence
Finding
The auto-routing table maps broad keywords directly to powerful workflows without describing ambiguity resolution, negative matches, or confirmation requirements. In this skill, many workflows trigger multi-tool financial analysis or document generation, so misrouting can cause inappropriate data handling, incorrect audit procedures, or user confusion with real business consequences.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill uses very broad natural-language trigger phrases such as “装古立特”, “安装 MCP”, and “install gridman” to initiate installation behavior. In an agent environment, these phrases can plausibly appear in ordinary conversation or be induced by prompt content, causing unintended package installation and configuration changes without sufficiently explicit user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the AI to automatically check for uv, install it if missing, locate a wheel, and write MCP configuration, but they do not present a strong user-facing warning that this modifies the local environment and may trigger network downloads. In an agentic IDE context, that materially increases the risk of silent system modification, dependency installation, and trust in an unreviewed local wheel package.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal