Hushuguo Malicious Mathhelper
hushuguo-malicious-mathhelper is a Claude Code plugin catalog entry in the Ship security phase that documents a known-malicious archive-only skill and must not be installed.
by hushuguo · github.com/hushuguo/malicious-mathHelper
Reference this catalog entry only when studying archived malicious Claude plugins—never install or run it in a real agent environment.
Add it to Claude Code
Install the plugin in Claude Code. One command, paste-ready.
/plugin install hushuguo-malicious-mathhelper@hushuguo/malicious-mathHelperBuilt to be called by your agent
Skillselion is itself an MCP server. Your agent can pull this entry and a paste-ready install config straight from the API - no copy-paste.
Retrieve this entry with skillselion.get_details("plugin:hushuguo/malicious-mathHelper") and the paste-ready config with skillselion.get_install_config("plugin:hushuguo/malicious-mathHelper").
What it does
hushuguo-malicious-mathhelper is an archived Claude Code plugin listing that Skillselion and upstream sources mark as malicious. It is not a math helper for solo builders; it is preserved so researchers, marketplace curators, and security-conscious developers can recognize unsafe community plugins before they reach production agents. The repository bundles one plugin with innocuous-sounding keywords, which is a common pattern for skills that should never run beside real API keys or repositories. If you are shipping with Claude Code, your goal is to exclude this slug from registries, document why it is quarantined, and use it only as a negative example when writing install policies. Installing it contradicts the publisher’s own warnings and normal supply-chain hygiene for AI-coding tools.
Highlights
- Catalogged as malicious with explicit DO NOT USE warnings in English and Chinese
- Archive-only specimen from hushuguo/malicious-mathHelper (1 plugin in bundle)
- Keyword bait: helps, mathhelper—useful for teaching typosquatting and fake utility skills
- No legitimate workflow; exists so directories can block or warn without deleting audit history
- Community-sourced auto listing—treat as threat intel, not a productivity tool
Why builders use it
Community plugin feeds can surface convincingly named skills that are actually malicious, and builders need a clearly labeled archive record instead of guessing from a repo name alone.
After recognizing this entry, you keep it out of Claude Code, add it to blocklists or internal warnings, and use it only as a reference when auditing similar math-helper plugins.
At a glance
- Type - Plugin in Security.
- Adoption - 0 installs, 1 stars, 0 votes.
FAQ
Who is hushuguo-malicious-mathhelper for?
It is for people curating or auditing Claude plugin catalogs who need a labeled malicious specimen—not for developers seeking a working math helper.
When should I use hushuguo-malicious-mathhelper?
Only when documenting supply-chain risk, training teammates on unsafe skills, or verifying that your marketplace blocks archived malicious entries—never during normal agent setup.
How do I add hushuguo-malicious-mathhelper to my agent?
You should not add it; leave it archive-only, exclude it from /plugin marketplace installs, and prefer vetted skills from trusted sources instead.
Comments
Share how you use hushuguo-malicious-mathhelper, gotchas, or tips for other indie builders.
No comments yet - be the first to share how you use it.