ClawHub

Cellosaurus

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as a Cellosaurus helper, but the supplied artifact evidence shows unrelated backend, credential, and local-secret-storage behavior that users should review before installing.

Install only after the publisher aligns the code, endpoint, environment variables, and documentation with Cellosaurus, limits remote calls to explicit Cellosaurus operations, and clearly explains whether API keys are stored locally and how to remove them. Treat any provided API key as shared with the configured upstream service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The API-key instructions and project structure reference a different skill/domain, which strongly suggests repurposed or mislabeled infrastructure. In context, this increases the risk that users will provide credentials to a service they did not intend to trust, and that data may flow to an unrelated backend.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The implementation is a generic proxy client to a XiaoBenYang MCP endpoint and does not enforce that requests are limited to the advertised Cellosaurus resource. This creates a scope mismatch: consumers may believe the skill only accesses Cellosaurus, while the code can send arbitrary tool invocations to a broader upstream service using the configured API key.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The call_tool method accepts caller-controlled tool_name, mcp_id, and params and forwards them directly to the upstream API as headers/body without any local allowlist or schema restriction. In a skill advertised as a Cellosaurus resource accessor, this broad invocation surface can be abused to invoke unrelated upstream tools or capabilities, potentially causing unauthorized data access or unintended actions under the server's API key.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The configuration is clearly inconsistent with the declared Cellosaurus skill: it references an unrelated 'XBY_GAOKAO' namespace, external base URL, MCP ID, and API key handling for another service. This mismatch strongly suggests code reuse or supply-chain contamination, which is dangerous because users may unknowingly send credentials or requests to an unrelated remote service outside the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This skill adds credential persistence to a local .env file even though the stated functionality is read/query access to a knowledge resource. Persisting secrets expands the attack surface, creates unnecessary local secret storage, and may surprise users who did not expect the skill to modify local files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The ability to save an API key into .env is not justified by the manifest's Cellosaurus knowledge-service purpose. Unnecessary secret persistence increases the risk of credential leakage through filesystem exposure, backups, logs, or accidental repository commits.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring identifies this as a '小笨羊高考Skill' configuration, directly contradicting the Cellosaurus manifest. That discrepancy is a strong indicator of mispackaged or copied code, which materially raises supply-chain and trust concerns because the skill may interact with unintended infrastructure or data flows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to collect a user API key and persist it via local configuration without warning about storage, retention, scope, or exposure. Secret collection and storage are sensitive operations; without transparency and safeguards, users may unknowingly leave credentials on disk or expose them to other local processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code writes API keys to .env automatically without any explicit warning, confirmation, or informed consent mechanism. Users may believe they are providing a temporary credential while the skill silently persists it on disk, increasing the chance of unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal