ClawHub

爱图表 桑基图

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Sankey-chart skill, but it includes broader authenticated API powers than the Sankey-only description suggests.

Install only if you intend to use aitubiao with an API key. Treat the key as a persistent local secret, delete ~/.aitubiao/credentials or rotate the key when no longer needed, and instruct the agent to use only the Sankey workflow unless you explicitly want other aitubiao API actions. Choose export paths carefully so downloads do not overwrite files you care about.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This Sankey-specific skill ships a general-purpose CLI that can authenticate, inspect quota, create unrelated chart/PPT/3D projects, and download exports, which materially exceeds the declared scope of 'Sankey diagram generation'. In an agent setting, unnecessary capabilities expand the attack surface and enable unintended data exfiltration or misuse if the agent is prompted or compromised to invoke broader commands.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The presence of cmd_create_ppt and cmd_create_3d gives this Sankey skill content-generation capabilities unrelated to its stated purpose. In an agent environment, that mismatch can be abused to generate arbitrary external artifacts or spend account quota in ways the user did not authorize when enabling a Sankey-only skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The download-project flow can write exported files to caller-supplied local paths, which is broader than needed for merely creating a Sankey diagram. Although it performs some directory checks, it still gives the skill local file-write capability and project export access that could be misused to overwrite user-chosen locations or exfiltrate project contents to disk without clear need in this skill context.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list contains broad phrases such as '关系图', '数据流向', and 'flow diagram', which may match ordinary user requests outside the intended Sankey-chart workflow. Over-broad invocation increases the risk that the skill activates unexpectedly and starts credential checks, quota queries, or data-handling steps in the wrong context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the user to paste an API key and then persists it to `~/.aitubiao/credentials` across sessions, but it does not provide a clear warning at the collection point about storage duration, reuse, exposure risk, or how to revoke/delete the secret. Collecting and persistently storing credentials without explicit privacy notice or minimization is dangerous because users may unknowingly provide long-lived secrets that remain on disk beyond the immediate task.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal