ClawHub

clash-auto-switch

Security checks across malware telemetry and agentic risk

Overview

This skill is a real proxy-control tool, but it includes unsafe credential handling and can change network routing automatically or on a schedule.

Install only if you want an agent to control your Clash proxy selection. Prefer the Python/OpenClaw path over the Bash helpers, remove or rotate the embedded Bash secret before use, keep `CLASH_SECRET` in protected local configuration, bind the Clash controller to localhost, and avoid cron or elevated scheduled tasks unless you explicitly accept unattended routing changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The status branch runs `cat $(load_state)`, but `load_state` returns JSON content rather than a pathname. Because command substitution output is subject to shell word splitting and filename interpretation, a crafted or corrupted `/tmp/clash-switch-state.json` can cause unintended file reads, errors, or unpredictable behavior; using `/tmp` also increases exposure to local tampering in multi-user environments.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README instructs users to export and store a sensitive API secret but does not warn about credential exposure via shell history, shared terminals, copied config files, or accidental commits. In the context of a local proxy control API, disclosure of the secret could let another local or network-adjacent party query or modify proxy settings, undermining traffic routing and potentially exposing user activity.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script hardcodes a live Clash API bearer secret directly in source. Embedded credentials are easily leaked through source sharing, backups, logs, screenshots, or repository history, allowing anyone with local or network access to the API endpoint to reconfigure proxies and inspect proxy metadata.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script embeds a live Clash control secret directly in source code and then uses it for authenticated API requests. Hardcoded secrets are easily exposed through source control, logs, backups, screenshots, or reuse across systems, allowing unauthorized parties with local/API access to reconfigure the proxy and potentially redirect or disrupt network traffic.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to place the Clash API secret directly into a local configuration file but does not warn that this value is a credential that should be protected from logging, sharing, backups, screenshots, or source control. Because the secret controls the Clash external controller API, exposure could let other local or reachable processes query status or change proxy settings, which is a real security concern even though the example targets localhost.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly promotes automatic proxy switching and unattended scheduled execution via cron/heartbeat, but does not warn users that it can modify active network routing and proxy group selections without interactive confirmation. In context, this creates a real safety issue because the skill changes connectivity state and traffic paths, which can affect privacy, policy compliance, service behavior, and troubleshooting if triggered automatically.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The setup instructions tell users to provide the Clash API secret directly in command examples and environment variables, but give no warning about shell history, process exposure, config file permissions, or secure secret storage. While this is likely standard operational documentation rather than malicious behavior, it still encourages insecure credential handling that could expose control of the local Clash API to other users or tools on the same system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The auto-switch path can change the active proxy selection based on health checks without any explicit confirmation at the moment of change. In a networking tool, changing routing behavior can alter privacy, connectivity, and trust boundaries, so doing so silently increases the chance of unintended network redirection or disruption.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal