1688 Common Cha88 Company Risk

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised company-risk lookup, but its credential setup is under-scoped and can store or reuse an access key under a different skill namespace.

Review this before installing if the AK is sensitive or shared across tools. Use a limited-scope key where possible, rotate it if pasted into chat, and verify that writing under the cha88-base config entry is acceptable in your OpenClaw environment. The query behavior itself is read-only, and VirusTotal telemetry was clean.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The CLI reports usage telemetry after every command via `_tracker.report_skill_usage()` even though telemetry collection is unrelated to the stated enterprise-risk query function and there is no visible indication here of consent, minimization, or data handling. In a skill that may process sensitive company identifiers and legal-risk queries, undisclosed telemetry can create privacy and compliance risk if command context or identifiers are transmitted externally.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The capability guide expands the skill's behavior beyond the stated trigger boundary by instructing enterprise search as part of the workflow, even though the parent skill says pure company-information queries should not trigger this risk skill. This can cause unintended activation, collection, or processing of company-identifying data in contexts where the skill should defer to another tool, creating scope creep and routing errors that may expose data or produce unauthorized lookups.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This file implements telemetry and local .env parsing even though the skill is described as an enterprise-risk query tool. That mismatch is security-relevant because it introduces hidden behavior and an extra data flow to a remote endpoint that users would not reasonably expect from the advertised functionality.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The implementation performs only generic enterprise search and profile display, while the skill manifest claims it is a legal-risk/risk-analysis tool that should trigger only for enterprise risk queries. This mismatch can cause the agent to invoke the wrong capability for sensitive compliance or legal-risk decisions, returning incomplete non-risk data that may mislead users into believing a company is safe or fully assessed.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module and CLI labels explicitly describe the tool as enterprise search/query, which contradicts the manifest's risk-only positioning. In an agent system, this inconsistency increases the chance of incorrect routing, operator confusion, and misuse of the skill in place of an actual risk-analysis capability.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The file implements a generic company search function even though the skill is declared to trigger only for enterprise risk/legal-risk queries. This scope mismatch can let the skill handle broader enterprise lookup requests than intended, undermining routing controls and potentially exposing data or behavior outside the approved capability boundary.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The module and function documentation describe the component as an enterprise search service rather than a risk-only service, contradicting the declared skill purpose. In isolation this is documentation drift, but in an agent setting it increases the chance of mis-triggering, incorrect tool selection, or future code changes expanding behavior beyond approved scope.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements an AK configuration command that stores or updates credentials, which is outside the declared scope of an enterprise-risk lookup skill. Scope mismatch is dangerous because a user invoking a legal-risk query skill would not reasonably expect secret-management behavior, and such hidden capability can be abused to capture, overwrite, or persist sensitive access keys.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code actively writes an access key via gateway or file fallback even though the skill is supposed to perform risk lookup and analysis only. In this context, secret-writing behavior expands the attack surface significantly: it can persist sensitive credentials locally or through a gateway, enabling unauthorized reuse, overwrite, or exfiltration pathways if the surrounding system is compromised or the behavior is triggered unexpectedly.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The configuration helper for this enterprise-risk skill writes credentials under SKILL_NAME = "cha88-base", which does not match the manifested skill. This can cause cross-skill credential injection, misbinding secrets to another capability, and accidental credential exposure or misuse by a different skill than the user intended to configure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that every CLI invocation automatically reports usage to a gateway, but it does not provide a clear user-facing privacy notice or consent mechanism. Even if the payload seems limited to skill metadata, automatic outbound telemetry can leak usage patterns and operational context, especially in enterprise environments where tool invocation itself may be sensitive.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code unconditionally attempts to report telemetry after each command without any user-facing disclosure in the file, and failures are silently suppressed. The lack of transparency and the hidden nature of the reporting increase the risk of unauthorized data collection, especially given the skill's legal/compliance context where queried entities and risk investigations may be sensitive.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs the agent to request and process an Access Key directly in conversation without warning the user that this is a sensitive credential or directing them to a safer secret-input mechanism. That increases the chance the credential will be exposed in chat history, transcripts, analytics, or operator logs, especially in an agent environment where prompts and tool calls may be persisted.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document explicitly describes telemetry reporting to a remote gateway, including endpoint, payload fields, and automatic reporting behavior, but does not warn users that usage metadata will be transmitted. This creates a transparency and privacy issue: operators may unknowingly send skill name, version, channel, and scene metadata to an external service, which is especially relevant in enterprise/compliance-sensitive environments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code reports usage on every CLI execution and silently ignores failures, with no disclosure or consent mechanism in this file. Hidden outbound telemetry can expose operational metadata such as tool usage, environment-derived identifiers, and deployment channel, which is more concerning in a compliance/risk-analysis tool that may be used in sensitive workflows.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The command writes a credential without presenting an explicit warning that sensitive data will be stored, potentially in a gateway or file. Lack of informed consent increases the chance that users expose production credentials unintentionally, especially because the skill's advertised purpose does not suggest secret storage and therefore makes this behavior more surprising and risky.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API key is written in plaintext to local config storage without any indication here of user consent, encryption, permission hardening, or disclosure. If the config file is readable by other local users, copied into backups, or collected by support tooling, the credential can be exposed and reused.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The workflow tells the agent to extract a secret from the user's message and pass it as a command-line argument, which is a common secret-exposure anti-pattern because command arguments may be visible in process listings, shell history, telemetry, crash reports, or debug logs. The instruction to return raw markdown errors further raises the risk that the AK or related sensitive context could be echoed back to the user or recorded in logs if the CLI includes the supplied value in an error message.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal