ClawHub
Back to skill

Security audit

Cjl Plugin

Security checks across malware telemetry and agentic risk

Overview

This is a useful personal skill bundle, but it needs review because several skills automatically save potentially sensitive notes and one workflow can use Chrome browser cookies for authenticated X downloads.

Install only if you are comfortable with a personal workflow bundle that saves generated notes and media into fixed local folders. Before using sensitive skills such as relationship or investment analysis, ask the agent not to save files unless you explicitly approve the path. For X downloads, do not allow Chrome cookie access unless you understand that it uses your local browser session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (32)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to run a shell command solely to generate a timestamp, which is unnecessary for the core task of explaining a concept. Any shell invocation expands the action surface and normalizes command execution in a skill that otherwise only needs text generation and optional file naming.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a concept-explanation tool, but it persists output into ~/Documents/notes without making that side effect central to the user-facing description. This creates an unexpected file-write capability that can clutter user storage, overwrite expectations about assistant behavior, and condition users to hidden persistence from seemingly read-only requests.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s primary purpose is paper-lineage analysis, but it also instructs the agent to read a local template and write a generated Org file into a fixed notes directory. That introduces an unnecessary filesystem side effect that can modify user data without an explicit, contextual confirmation step, which is risky even if the author likely intended convenience rather than harm.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The Denote-specific filename, timestamp, and output-directory rules embed local note-management behavior into a research-analysis skill. This broadens the skill’s effective permissions and encourages writes to a user filesystem location that is not strictly necessary to answer the user’s request, increasing the chance of unauthorized or surprising side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated function is relationship analysis, but it additionally instructs the agent to create and write a local org-mode file. That expands its effective capability from conversation to filesystem persistence without clear user-driven justification, increasing privacy and data-handling risk for highly sensitive relationship disclosures.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic local note persistence is not necessary to perform conversational relationship analysis and therefore constitutes an unjustified extra capability. Because the content involves intimate personal disclosures and inferred psychological patterns, storing it by default creates avoidable retention and confidentiality risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill advertises 'zero external dependencies' and offline operation, but later requires loading Chart.js from public CDNs and offers online deployment. This mismatch can mislead users and downstream agents into trusting generated artifacts as self-contained when they may perform network access, weakening informed consent and supply-chain expectations.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file simultaneously states generated HTML should have no external dependencies while mandating CDN-hosted Chart.js for data slides. Contradictory delivery requirements create ambiguity about whether output is safe to open in restricted or offline environments, which can cause unexpected outbound requests or broken rendering.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs use of `--cookies-from-browser chrome` to access authenticated or restricted X content, which goes beyond unauthenticated media download and accesses local browser session material. Even if intended for convenience, this expands the skill's privileges into sensitive credential-adjacent data and can enable access to content the user did not explicitly authorize the agent to retrieve.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The plugin states it can be triggered via '/cjl-{name}' or natural language, while aggregating 17 heterogeneous skills including potentially sensitive workflows like media downloading, investment research, presentation generation, and paper processing. Broad natural-language activation increases the chance of accidental invocation, prompt confusion, or routing into a more capable skill than the user intended, which is riskier in a multi-skill plugin context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states it writes PNG files to ~/Downloads/ as part of normal operation, but does not clearly warn about this side effect at invocation time or require confirmation. That can lead to unexpected filesystem writes, accidental disclosure through predictable file placement, or clutter/overwrite risks when users only intended a preview or transformation without persistence.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly directs the agent to write a file to a fixed local path under ~/Documents/notes/ without requiring prior user confirmation or warning about filesystem modification. That can cause unintended local side effects, overwrite/conflict risks, and privacy issues if sensitive investment materials are persisted automatically on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to write an org file into the user's Documents directory and report completion, but it provides no visible warning or confirmation step. Silent persistence is dangerous because users may not realize a normal explanation request causes local file creation, which can violate expectations and lead to unintended data placement.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill explicitly produces org and PNG artifacts and reports file paths, but it does not warn the user that files will be created or clarify the output location and overwrite behavior. This can lead to unexpected writes, disclosure of local filesystem structure in outputs, or accidental clobbering of existing files, especially when processing multiple papers in parallel.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to use a fixed output directory under the user’s home notes path creates an undisclosed persistence side effect. A user asking for analysis may not expect local files to be created, and silent writes can clutter notes, overwrite expected workflows, or normalize unsafe behavior for future skills.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The final execution step explicitly directs reading a local template and writing the result to disk, but the skill does not require explicit consent immediately before the side effect. This is dangerous because it turns a content-analysis request into a local file operation, which can violate user expectations and weaken boundaries around agent-initiated persistence.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition includes the generic English word "paper," which is overly broad and can cause the skill to activate during ordinary conversation unrelated to academic papers. Unintended invocation matters here because the skill is instruction-heavy and can steer outputs into file-writing, web fetching, and rigid formatting behaviors the user did not ask for.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The skill mandates Chinese-centric output and formatting conventions without checking the user's language or preferences, which can override user intent and cause unsafe or unexpected behavior in multilingual contexts. In this skill, the risk is amplified because the constraints are not just stylistic: they also prescribe output structure, file conventions, and downstream note-taking behavior that may be inappropriate for the user's environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to write generated content into a fixed local notes directory under the user's home folder without requiring explicit confirmation at the point of write. This creates an unauthorized local side effect risk: the agent may persist sensitive, copyrighted, or unwanted content to disk simply from a normal explanation request, which is especially risky for a user-invocable skill expected to process arbitrary input.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The execution step explicitly directs automatic Org file generation and storage in ~/Documents/notes/, again without a confirmation gate or safety disclosure. In context, this is more dangerous because the skill accepts URLs, text, file paths, and search-derived content, so it can transform diverse possibly sensitive inputs into durable local files without the user's informed approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create a file in ~/Documents/notes/ automatically and only report the path afterward, without requiring prior user confirmation. This can cause unintended local filesystem writes, expose sensitive user prompts in persistent storage, and violate user expectations about when an agent modifies the device.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Using the generic English trigger term "relationship" can cause the skill to activate in ordinary conversation where the user did not intend deep relationship analysis or sensitive note-taking behavior. In this skill, unintended activation is more concerning because later instructions include probing psychoanalytic questioning and file persistence of personal information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to write detailed relationship analysis to a local file without first warning the user that sensitive personal and psychological information will be stored persistently. This is dangerous because users may reveal intimate details under the assumption of transient conversation, while the skill silently creates durable records that could later be accessed, synced, backed up, or disclosed.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include very generic terms such as “圆桌”, “roundtable”, and “辩论”, which can match ordinary user conversation and cause the skill to activate unexpectedly. Because this skill performs structured prompting and later writes output to disk, accidental activation can lead to unintended behavior, privacy surprises, or unrequested file creation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to write an org file into the user's home directory, but the skill description does not clearly warn that local files will be created. This is dangerous because users may invoke the skill for a conversational debate and not realize it will persist potentially sensitive content to disk, especially if activation happens via broad triggers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.