ClawHub

微信公众号转个人知识库

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent note-saving purpose, but its scripts build shell commands from article URLs, which can let a crafted link run unintended commands on the user's machine.

Install only if you are comfortable with a skill that can run Bash and write to your local Obsidian vault. Until the shell-command issue is fixed, avoid processing links from untrusted sources, prefer explicit vault/output paths, and confirm the resolved destination before allowing it to save notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The curl fallback builds a shell command by interpolating a user-controlled URL directly into execSync. The URL validation is only a substring check, so an attacker can craft input containing mp.weixin.qq.com while injecting shell metacharacters or quotes, leading to arbitrary command execution on the host.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads the user's local Obsidian configuration to enumerate vault paths, which exposes local-environment metadata beyond the minimum needed to process a supplied article URL. Even though it appears intended as convenience, discovering local file-system locations without explicit consent can leak sensitive path information and expands the skill's access to unrelated local data.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The batch-processing trigger uses broad natural language ('帮我保存这几篇文章到知识库'), which can match ordinary conversation and cause the agent to initiate fetching, summarization, and local file writes without a tightly scoped command. In a skill with shell and filesystem access, ambiguous invocation increases the risk of unintended processing of links and unintended persistence to the user's vault.

Vague Triggers

Low
Confidence
72% confidence
Finding
The '指定主题目录' example allows loosely constrained destination selection and can blur into general file-management requests. When combined with write access, this can lead to notes being written into unintended locations within the vault, especially if user-provided directory strings are not tightly validated.

Missing User Warnings

Low
Confidence
87% confidence
Finding
Accessing Obsidian configuration without an explicit user warning reduces transparency around local metadata collection. In context this is not overtly malicious, but it can surprise users and disclose information about installed apps and vault locations that is not strictly required for article conversion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal