ClawHub

The Met

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be advertised as a museum data helper but reportedly routes through unrelated XBY/Gaokao API code and stores API keys locally, so it should be reviewed before install.

Install only if you intentionally trust and need the unrelated XBY/Gaokao API integration, not just a Metropolitan Museum data helper. Before installing, confirm the real endpoint, why an API key is needed, whether arbitrary tool calls are allowed, and where any key is stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The workflow includes unrelated examples such as `search_schools` and a gaokao-oriented project structure, which indicates copy-paste contamination from another skill. In a security context, this kind of inconsistency is risky because it suggests the documented tool-routing logic may not match the actual implementation, making hidden functionality or accidental misuse more likely.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The project path `xiaobenyang_gaokao_skill` contradicts the Metropolitan Museum identity and reinforces that this skill may be repurposed from unrelated code. While not directly exploitable on its own, this inconsistency weakens trust, complicates review, and can conceal mismatched dependencies or remote endpoints under an innocuous museum label.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially contradicts the declared skill purpose: instead of querying a museum open-collection API, it provides a generic client for a separate '小笨羊MCP API' endpoint. That mismatch is dangerous because it can conceal undeclared data flows and capabilities behind an innocuous museum-themed manifest, increasing the likelihood of covert tool use or abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The function accepts caller-controlled tool names and arbitrary parameters, then forwards them directly to the upstream service with authentication headers. In the context of a museum-data skill, this creates an unjustified generic proxy that could invoke unintended tools, exfiltrate sensitive inputs, or perform actions outside the advertised scope.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code comments explicitly identify the component as a '小笨羊MCP API' client, which conflicts with the museum-data description and reinforces that the actual behavior is unrelated to the declared functionality. While comments alone are not executable, here they corroborate deceptive implementation intent and make the broader mismatch more credible and risky.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This configuration is clearly mismatched with the declared museum open-collection purpose: it manages an unrelated XBY/Gaokao API endpoint, ID, and credential lifecycle. That creates unjustified capability to collect, persist, and use secrets for an external service, which is dangerous in a skill whose stated function should only query public museum data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads and writes a local .env file to retrieve and persist an unrelated API key, which exceeds the expected permissions for a museum open-data skill. This enables local credential access and persistence that could expose user or developer secrets and is especially suspicious because it is unrelated to the advertised functionality.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The class docstring identifies the component as a different skill ('小笨羊高考Skill'), contradicting the manifest and suggesting code reuse or repurposing without proper review. Identity mismatches like this are dangerous because they often accompany hidden capabilities, undeclared integrations, or supply-chain substitution of functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting an API key into .env without explicit user consent or warning can leave secrets stored on disk in plaintext and potentially committed, backed up, or read by other local processes. Even if intended for convenience, silent persistence increases the chance of credential leakage and violates least surprise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal