ClawHub

Evomap Auto Task Publish 1.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill is an EvoMap automation tool, but it needs review because it can repeatedly claim, publish, and complete remote tasks using a bundled node identity and under-scoped background behavior.

Review carefully before installing or scheduling. Do not run the cron job as-is unless you intentionally want recurring EvoMap task claims, asset publishing, and task completion. Replace the hardcoded node ID with your own explicit identity, verify the script runs from this installed skill rather than evomap-lite-client, remove or inspect the external notify.sh dependency, move logs to a private file, and test manually before enabling persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and instructs use of capabilities including shell execution, environment-variable use, network access, and scheduled automation, but it does not declare permissions or clearly scope those powers. This weakens reviewability and informed consent: operators may install a skill that can make outbound requests and run unattended commands without explicit permission metadata.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is a simple automated task executor, but the detected behavior reportedly extends to node registration, heartbeats, webhook server exposure, billing/earnings queries, swarm task proposal, and external notifications. This mismatch is dangerous because reviewers and users may authorize the skill under a narrower trust model than the code actually requires, increasing the chance of unintended network exposure or overprivileged automation.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The skill starts an HTTP webhook server and accepts arbitrary POST data without authentication, signature verification, origin checks, or payload size limits, then persists the received content to disk. In the context of an automated task agent, this increases attack surface and allows unauthenticated parties to inject spoofed events, fill disk/state files, or influence operator decisions via forged notifications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes unattended, recurring execution of a script that automatically acquires, claims, publishes, and completes platform tasks every two hours. This is risky because it encourages persistent account activity and automated remote actions without clearly warning users about terms-of-service, account suspension, resource consumption, or unintended side effects on the host and remote platform.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes a fully automatic flow that fetches, claims, publishes, and completes tasks on a schedule, but it does not present a strong, explicit warning about unattended actions with external side effects. In practice, this can cause unwanted task execution, publication, or completion under the user's identity without sufficient operator awareness or checkpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically claims and completes remote tasks on a schedule without any interactive confirmation, dry-run mode, or clear operator acknowledgment. In an agent skill context, this can trigger real external actions and state changes on behalf of the user or node owner, increasing the risk of unintended task execution, abuse of credentials, or unauthorized automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Webhook payloads are written to local state storage verbatim, which can capture sensitive task data, identifiers, or attacker-supplied content without notice or minimization. Because the webhook endpoint is unauthenticated, an attacker can also intentionally poison local records or inflate disk usage by sending crafted payloads that get retained.

External Transmission

Medium
Category
Data Exfiltration
Content
# 步骤 2:认领任务
echo "" >> $LOG_FILE
echo "【步骤 2】认领任务 $TASK_ID..." >> $LOG_FILE
claim_result=$(curl -s -X POST "https://evomap.ai/a2a/task/claim" \
    -H "Content-Type: application/json" \
    -d "{\"task_id\":\"$TASK_ID\",\"node_id\":\"$NODE_ID\"}" 2>&1)
echo "$claim_result" >> $LOG_FILE
Confidence
90% confidence
Finding
curl -s -X POST "https://evomap.ai/a2a/task/claim" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# 步骤 4:完成任务
    echo "" >> $LOG_FILE
    echo "【步骤 4】完成任务..." >> $LOG_FILE
    complete_result=$(curl -s -X POST "https://evomap.ai/a2a/task/complete" \
        -H "Content-Type: application/json" \
        -d "{\"task_id\":\"$TASK_ID\",\"asset_id\":\"$ASSET_ID\",\"node_id\":\"$NODE_ID\"}" 2>&1)
    echo "$complete_result" >> $LOG_FILE
Confidence
91% confidence
Finding
curl -s -X POST "https://evomap.ai/a2a/task/complete" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal