ClawHub

Auto Agent 4974

Security checks across malware telemetry and agentic risk

Overview

This skill looks like a Chinese Bilibili tutorial helper, but its executable code uses an undeclared local Python module path and stores user-provided input in a local knowledge base without clearly explaining that behavior.

Review before installing. This does not show clear malware behavior, but it can execute code from a specific local Windows directory and save what the user passes into it. Install only if you understand and trust the local D:\\coze-local\\db learn module, are comfortable with local knowledge-base retention, and can tolerate the broad "agent" trigger.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code prepends a local filesystem path to `sys.path`, altering Python's import resolution before importing `learn.KnowledgeBase`. This can cause the skill to load unintended or attacker-controlled modules from that directory, and the behavior is not disclosed by the tutorial-style description, making the capability risky in an agent/plugin context.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The docstrings present the skill as a harmless tutorial helper, but the implementation writes user-supplied data into a local knowledge base. This mismatch reduces transparency and can mislead reviewers or users about persistent data storage, increasing the chance of unreviewed data collection or retention.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase includes the single word "agent", which is extremely broad and likely to activate during ordinary conversation unrelated to this specific skill. This can cause accidental invocation, unexpected context switching, and unintended execution of the skill when users are discussing agents generally rather than requesting this tutorial skill.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill content is entirely Chinese-oriented and its trigger phrases are Chinese-language specific, with no indication of locale negotiation or user preference handling. While not directly enabling code execution or data exposure, this can degrade usability, cause unexpected behavior for non-Chinese users, and increase accidental activation mismatch in multilingual environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal