ClawHub

Mathematics

Security checks across malware telemetry and agentic risk

Overview

This math skill should go to Review because it is an API-backed remote proxy with credential storage and non-math administrative tools that are not clearly scoped to the advertised calculator purpose.

Install only if you are comfortable giving this skill a Xiaobenyang API key, storing that key in a local .env file, and sending calculation inputs, session data, and history operations to the remote MCP service. Treat the non-math diagnostic tools and the Gaokao-related leftovers as reasons to review the publisher and service documentation before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The workflow and project structure reference a Xiaobenyang/Gaokao API-backed service rather than a self-contained math engine. This inconsistency suggests the skill may be repurposed from another domain, increasing the risk of hidden or unintended data flows to third-party services under a misleading label.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The example instructs use of a school-search function that is not present in the tool list, contradicting the claimed math purpose. Contradictory instructions are a security concern because they indicate poor provenance or copy-pasted logic, which can conceal unsupported or unintended behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
System and performance monitoring capabilities are outside the normal scope of a mathematics computation skill. Scope expansion increases risk because it may expose host or runtime information that can aid fingerprinting, debugging abuse, or later attacks, while users would not expect such collection from a calculator-like skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Memory-management functions such as optimization are not justified by the stated purpose of math computation. Administrative runtime controls can affect agent behavior or availability and create opportunities for denial of service, state tampering, or concealment of prior actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This skill advertised as a mathematics engine actually performs a generic remote MCP tool invocation based on caller-supplied mcp_id, tool_name, and params. That expands the trust boundary from local math operations to an external service that can receive arbitrary inputs and potentially expose data or trigger non-math capabilities, which is a real security-relevant design issue for a narrowly scoped skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The client mounts generic HTTP/HTTPS adapters and uses a configurable base_url, enabling outbound requests to any configured upstream service. For a math skill, this is broader than necessary and increases risk of SSRF-like misuse, unintended data egress, or dependency on an untrusted remote endpoint if configuration is altered.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to be a mathematics engine, but this code persists and manages an external API key for a different service namespace (XBY/Xiaobenyang Gaokao). That mismatch indicates hidden external-service dependency and unnecessary secret handling, which expands the trust boundary and can mislead users into supplying credentials unrelated to the stated purpose.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The docstring identifies the component as a '小笨羊高考Skill' configuration, contradicting the declared mathematics-engine purpose. This inconsistency is a supply-chain red flag because it suggests code reuse from a different product and weakens confidence that the skill does only what it claims.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as a mathematics engine, but it exposes performance, memory, and security-management style operations that are outside that stated scope. Scope mismatch is dangerous because it gives an apparently benign math tool access to operational introspection capabilities that could be abused for reconnaissance or unauthorized environment interaction.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A security_status function provides direct security inspection capability unrelated to mathematical computation. Even without direct modification powers, exposing security state to an assistant-facing skill can leak defensive posture, configuration, or operational details useful for follow-on attacks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Performance and memory-statistics functions are not necessary for a math engine and expose system operational telemetry. Such telemetry can aid fingerprinting, resource mapping, or abuse planning, especially when presented through a tool that users would expect to be limited to calculations.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill includes session creation, variable persistence, history retrieval, deletion, and history clearing, but these stateful behaviors are not disclosed in the description. Undisclosed persistence increases privacy and integrity risk because users may assume ephemeral computation while the skill stores and manipulates historical or session data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires collecting a user API key and saving it, but it provides no warning about storage location, retention, access controls, or privacy implications. Credential collection without clear handling guidance can lead to accidental exposure in files, logs, backups, or other tools with local access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents delete-session and clear-history style operations without warning users about permanence or possible data loss. Destructive actions in a stateful skill can erase records or working context unexpectedly, especially if invoked through ambiguous prompts or automated routing.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code sends tool parameters directly to an external API via POST without any indication in this file of user notice, consent, or filtering of sensitive content. In a math-assistant context, users may reasonably expect local computation, so silent transmission of inputs to a third party creates a data privacy and handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes the provided API key directly into .env and the process environment without any user confirmation, storage warning, or permission controls. Persisting secrets silently increases the risk of accidental disclosure through source control, backups, shared workspaces, or later process inspection.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
delete_session performs a destructive state-changing action with no visible confirmation, guardrail, or indication of authorization checks. In an agent context, this raises the risk of accidental or induced deletion of user state through prompt manipulation or misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
clear_history can erase prior records without any user-facing warning or confirmation. For agent-integrated tools, silent destructive actions are risky because they can remove auditability, user context, or evidence of misuse with a single call.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal