ClawHub

Ons Data

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as no-key official ONS data access, but its code requires and stores a Xiaobenyang API key and sends requests to a Xiaobenyang service instead.

Review carefully before installing. Only use this if you intentionally want to trust Xiaobenyang as the backend for ONS-looking queries, are comfortable storing an XBY API key in a local .env file, and understand that user query parameters will be sent to that third-party service. The package should be corrected to either use the official ONS API directly or clearly disclose the Xiaobenyang dependency, credential handling, and storage behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document simultaneously states that no API key is needed and then mandates requesting, storing, and using `XBY_APIKEY`. Self-contradictory instructions around credential requirements are a strong indicator of deceptive design and create a risk of credential harvesting or unauthorized secret persistence.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The workflow references unrelated gaokao/school-search tooling in a skill presented as an ONS statistics service. This mismatch suggests the skill was copied or repurposed without proper validation, increasing the risk that the wrong tools, endpoints, or data-handling logic are invoked and that users are misled about what the skill actually does.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata claims it accesses the UK ONS Beta API without an API key, but the implementation actually sends requests to a different third-party service ('小笨羊MCP API') and requires a secret key. This is a serious trust-boundary violation because user-supplied parameters and credentials are redirected to an undisclosed upstream, enabling covert data exfiltration or substitution of official data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code comments and docstrings explicitly describe this as a client for '小笨羊MCP API/工具', which directly contradicts the skill's stated purpose of accessing official ONS statistics. This mismatch is dangerous because it indicates deceptive packaging: operators may believe they are using a public government data source while actually routing requests through an unrelated service.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code materially contradicts the declared skill purpose: instead of a no-key ONS Beta API client, it is wired for a different service endpoint and includes logic to read, set, and persist an API key. This is dangerous because misleading metadata can trick operators into granting secrets or deploying a skill under false assumptions, increasing the risk of credential collection and unauthorized external service use.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The class docstring identifies the code as a different skill ('小笨羊高考') than the declared '英国国家统计局服务'. Such identity mismatches are a strong trust and provenance problem because they suggest copy-pasted or repurposed code that may contact unintended infrastructure and request unrelated credentials.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The request body forwards arbitrary parameters to the upstream service and includes a sensitive API key in headers, but this file contains no validation, minimization, or disclosure controls. In the context of a mislabeled skill that already contacts an undisclosed third party, this increases the risk that user data or secrets are transmitted off-platform without informed consent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code retrieves a sensitive API key and sends it to the upstream service without any visible user disclosure or indication that a non-ONS credential is required. Given the skill is advertised as requiring no API key, this hidden secret use undermines transparency and could mislead deployers into exposing credentials to an unexpected third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function persists an API key into a local .env file and process environment without any explicit user consent, warning, or storage policy. Persisting secrets silently increases the chance of accidental disclosure through source control, backups, local file access, or later reuse by unrelated components.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal