ClawHub

Hitoshura25 Android Playstore Deploy

Security checks across malware telemetry and agentic risk

Overview

This Android deployment skill routes sensitive setup data through an unrelated Xiaobenyang/Gaokao remote API and stores its API key in a local .env file.

Review carefully before installing. Do not provide GitHub tokens, keystore passwords, service-account details, or production app identifiers to this skill unless the publisher explains why they must be sent to the Xiaobenyang backend, documents retention and redaction, and fixes the Android-versus-Gaokao identity mismatch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises capabilities to read/write files, access environment variables, and use the network, yet no permissions model or disclosure is declared. In this context, the skill also handles sensitive inputs such as API keys, GitHub tokens, keystore passwords, and service-account paths, so undisclosed capabilities materially increase the risk of silent collection, persistence, or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The document claims to be a Google Play deployment helper, but the behavior described includes sending sensitive user-provided inputs to an external API, persisting an API key locally, and depending on remote services for core operations. This mismatch prevents users from giving informed consent and creates a realistic path for credential exposure and unintended data transfer.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill content is internally inconsistent: it presents itself as an Android/Google Play deployment tool, but the workflow and project structure reference a different external-API-driven skill. Such identity confusion is dangerous because users may disclose deployment credentials under false assumptions about what the tool actually does and where data goes.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The workflow states that code 'only calls APIs,' while the tool list describes local project analysis, keystore generation, configuration generation, and workflow file generation. This inconsistency obscures whether sensitive artifacts are created locally or sent externally, increasing the risk of unsafe handling and misleading users about trust boundaries.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The instruction to directly display raw API output conflicts with the claimed local-tool behavior and creates a concrete disclosure risk if raw responses contain secrets, tokens, file paths, service-account details, or echoed user inputs. Presenting unfiltered raw data is especially unsafe in a deployment tool that handles credentials and signing material.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The client exposes generic remote invocation through arbitrary tool_name and params, allowing the surrounding skill to act as a broad proxy to upstream capabilities rather than only Google Play deployment tasks. In the context of an agent skill, this expands the attack surface substantially: prompt-controlled or untrusted inputs could trigger unintended remote operations using the configured API key and MCP identity.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The configuration clearly targets an unrelated '小笨羊高考' service, including a different base URL, MCP ID, and environment prefix, while the skill claims to be for Google Play deployment. This mismatch is a strong supply-chain integrity issue: users may unknowingly send credentials or operational data to an unrelated external service, which is especially risky in a deployment tool that is expected to handle signing keys and store credentials.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The docstring explicitly identifies this as a '高考Skill配置', directly contradicting the advertised Android app store deployment purpose. In security-sensitive tooling, this kind of identity confusion is dangerous because it signals code reuse or repurposing that can hide unintended network destinations, credential handling, or unauthorized service dependencies.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the model to collect an API key from the user and save it locally without warning that the credential will be persisted. Storing secrets without transparent disclosure and consent increases the chance of accidental exposure through local files, logs, backups, or later tool responses.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requests a GitHub Personal Access Token with repo scope but omits any warning about sensitivity, scope minimization, storage, transmission, or masking. A repo-scoped token can enable repository reads, writes, secret management visibility patterns, or workflow abuse if mishandled.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill uses a Google Play service account JSON credential without any handling guidance or risk disclosure. Service account files often grant broad publishing access, so unsafe collection, storage, or transmission could lead to unauthorized app management or release operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists the API key in plaintext to a local .env file without any warning, consent flow, or safeguards. This can expose credentials through accidental commits, local file disclosure, backups, or multi-user system access, and is more concerning in a deployment tool that may be used in CI/CD environments where secrets should be handled through dedicated secret stores.

Ssd 3

Medium
Confidence
98% confidence
Finding
Instructing the system to directly present raw tool output is dangerous because tools handling deployment and validation may return secrets, credential metadata, local paths, configuration values, or echoed sensitive inputs. In this skill's context, the risk is elevated by the explicit handling of API keys, GitHub tokens, keystore credentials, and service-account files.

Credential Access

High
Category
Privilege Escalation
Content
repo_name: GitHub repository name

    github_token: GitHub Personal Access Token with repo scope

    required_secrets: List of secret names to check for
Confidence
94% confidence
Finding
Access Token

Credential Access

High
Category
Privilege Escalation
Content
repo_name: GitHub repository name

    github_token: GitHub Personal Access Token with repo scope

    required_secrets: List of secret names to check for
Confidence
94% confidence
Finding
Access Token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal