ClawHub

Iconify Icon

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be advertised as an Iconify icon helper, but its reported code handles unrelated Xiaobenyang/XBY credentials and exposes broader MCP tool-calling behavior than that purpose requires.

Install only if you understand why this Iconify skill needs Xiaobenyang/XBY credentials and broad MCP proxy access. Treat any API key entered as a persistent local secret, rotate it if exposed, and prefer a version that removes unrelated service references, allowlists Iconify-only tools, and documents credential storage clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file implements a generic upstream MCP proxy that can invoke arbitrary tools via caller-controlled `tool_name`, `mcp_id`, and `params`, which exceeds the advertised scope of an Iconify-only icon data service. This mismatch expands the reachable attack surface and can enable unintended capability access or data exfiltration through other upstream tools if the surrounding skill exposes these inputs.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file for an icon data service contains logic to persist and retrieve an unrelated XBY/Xiaobenyang API key, which strongly contradicts the declared skill purpose. That mismatch is a supply-chain red flag because the code can capture and retain credentials for another service without a clear user need, enabling covert credential collection or unauthorized backend access.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The class docstring, env prefix, default endpoint, and identifiers refer to a Gaokao/Xiaobenyang service rather than the advertised icon server. Such identity mismatch indicates the package may be repurposed or trojanized code, making the skill context more dangerous because users would trust it for harmless icon access while it is configured for a different remote service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to ask the user for an API key and save it locally, but provides no warning about storage, retention, masking, or who can later read the file. This is dangerous because users may unknowingly disclose sensitive credentials that are then persisted in plaintext or exposed to other local processes and future sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes API keys directly into a local .env file and process environment without any warning, confirmation, or storage policy. This can expose secrets through accidental commits, local file disclosure, backups, or later reuse by unrelated code, especially in a shared agent runtime.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal