ClawHub

旺小美数据助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible Wangxiaomei data assistant, but it gives an agent broad access to sensitive customer, recording, visit, account, and tenant/project context data with weak activation and confirmation boundaries.

Install only if you trust the Wangxiaomei/Wangxiaobao services and want an agent to access authorized business records. Use explicit prompts, verify the active tenant/project before queries, avoid shared machines, do not expose the raw token, and clear ~/.wangke-auth-token when access is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation indicates capabilities equivalent to shell and environment access, yet no explicit permissions are declared. This creates a transparency and governance gap: users and the host agent may not understand that the skill can read/write local files and invoke commands, which is especially risky because the skill handles authentication material. In this context, undeclared local execution capability increases the chance of silent token persistence, deletion, or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill claims to query customer, audio, and visit data, but it also performs authentication bootstrapping, retrieves broader account metadata, enumerates tenant/project scope, switches project context, and stores tokens locally. Those behaviors materially expand the privilege and attack surface beyond a simple query skill, and can lead to unauthorized cross-project access or credential exposure if users are not clearly informed. Because the data involved includes customer records and recordings, the mismatch is more dangerous than a harmless documentation omission.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The evals expand the skill from read-only querying/analysis into session-switching actions, which changes security context and can affect what tenant or project data becomes accessible. This is dangerous because an agent may perform state-changing operations that users did not clearly authorize, increasing the chance of cross-tenant confusion or unintended data access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The eval requires deleting a local authentication token file even though the skill is presented as a data-query assistant. Introducing local credential deletion is dangerous because it grants destructive local-file capability unrelated to the advertised purpose, and could log users out or be abused to disrupt access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A local credential-file deletion capability is unjustified for a skill whose stated purpose is querying customer, audio, and visit data. This creates an unnecessary destructive primitive on the host environment, which can be misused for denial of service against the user session and sets a dangerous precedent for broader local file operations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description presents a read/query assistant for customer, audio, and visit data, but the code also exposes session-mutating operations to switch project and tenant context. In a multi-tenant system, changing session context can alter the scope of subsequent reads and may let an agent access or act within a different tenant/project than the user intended, which is a meaningful authorization-boundary risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The CLI makes tenant/project switching directly available even though the stated skill purpose is limited to querying records. This increases the attack surface by allowing an operator or chained tool invocation to silently change context before fetching sensitive data, potentially causing cross-project or cross-tenant data exposure.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger conditions are broad enough that ordinary conversation mentioning terms like '客户', '录音', or '旺小美' could invoke the skill without a clear user request to access backend data. Because this skill exposes customer records, recordings, and visit data, accidental invocation can cause unnecessary access to sensitive information and increase the chance of privacy leakage.

Vague Triggers

Low
Confidence
81% confidence
Finding
The skill description and trigger section do not define strong boundaries for when the skill should not run, making routing decisions ambiguous. In a data-access skill tied to tenant-scoped business records, weak boundaries can lead to over-triggering and unnecessary exposure of internal data, though this is primarily a design weakness rather than an exploit primitive.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description includes broad, common business terms such as customer, recording, visit, and related variants, which can cause the skill to activate in contexts the user did not intend. Unintended invocation is significant here because the skill can access sensitive customer information, recordings, and account context. Over-broad triggering raises the risk of unnecessary data exposure and accidental execution of sensitive operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users how to authorize and query customer, recording, and visit data but does not prominently warn that these are sensitive personal/business records. Without clear privacy and access-risk messaging, users may over-share queries, authorize on shared machines, or retrieve records without understanding confidentiality obligations. Given the presence of customer details, phone numbers, transcripts, and visit records, the missing warning is security-relevant.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrase for showing visit records is broad and commonly used, so the skill may activate in contexts where the user did not intend to access this dataset. In a skill that surfaces sensitive customer and visit information, over-broad triggering increases the risk of accidental invocation and unintended disclosure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The customer-list trigger uses a very generic phrase that overlaps with ordinary assistant requests, making accidental routing to this skill more likely. Because the skill accesses potentially sensitive customer data, ambiguous invocation can cause over-collection or exposure of information beyond user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The eval defines clearing authorization by deleting a token file without any warning or confirmation step. For a skill handling authenticated access to business data, silently removing credentials is dangerous because it is a destructive action affecting account access and can surprise users or be triggered unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI prints full API responses for user, tenant, customer, visit, and audio records directly to stdout, which can expose sensitive personal, business, or call-record metadata in logs, terminals, shell history captures, or downstream tool pipelines. Because this skill is specifically designed to retrieve potentially sensitive CRM and recording data, raw stdout dumping materially increases the chance of unintended disclosure.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
如果需要重新授权或更换账号,可以删除授权文件:

```bash
rm ~/.wangke-auth-token
```

或告诉我"清除授权",我会帮你处理。
Confidence
93% confidence
Finding
rm ~/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal