ClawHub

Uk Police Data Query

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it presents itself as a UK police data lookup but routes requests through an unrelated third-party MCP service and stores that service's API key locally.

Install only if you are comfortable with your police-data queries and XBY API key being sent to mcp.xiaobenyang.com and with that key being stored in plaintext in a local .env file. Prefer a version that clearly explains the third-party service relationship, uses scoped or disposable credentials, and avoids persistent plaintext secret storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
A public UK police data lookup skill should not normally require a third-party API key from an unrelated domain, and the instruction to obtain one from xiaobenyang.com is inconsistent with the stated purpose. This creates phishing-like credential collection risk and suggests the skill may proxy user requests through an unexpected third party.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The workflow example calls a school-search function unrelated to police data, which indicates the document may have been copied from another skill without proper review. Such mismatches are dangerous because they can conceal unintended tool routing, incorrect API usage, or a bait-and-switch between the advertised function and actual behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation does not behave like a narrowly scoped UK police-data client; instead it forwards requests to a generic external MCP endpoint using caller-controlled tool names and parameters. This mismatch is dangerous because users or upstream components may trust the skill's police-data branding while it can actually transmit arbitrary data to a broader third-party service, creating a deceptive capability and data exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The call_tool method is a generic remote invocation primitive: it accepts arbitrary mcp_id, tool_name, and params, then forwards them with an API key to an external service. In the context of a skill advertised as a specific police-data query service, this overbroad capability enables misuse beyond the declared purpose and can be abused to invoke unintended remote functions or leak sensitive user-supplied parameters.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The docstrings explicitly describe a '小笨羊MCP API' client rather than a UK police-data service, reinforcing that the implementation and declared purpose diverge. While largely a transparency/integrity issue by itself, in this context it increases the likelihood of deceptive routing of user requests to an unrelated external platform and undermines informed trust decisions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code’s purpose materially diverges from the declared skill behavior: instead of a police-data lookup configuration, it contains configuration for an unrelated external service ('小笨羊高考') and associated credential handling. This mismatch is dangerous because it can conceal unexpected data flows, external network access, and credential use that users and reviewers would not anticipate from the advertised skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises police-data query functionality, but the code adds capability to set and persist an external API key for a different service. Hidden credential-management behavior broadens the trust boundary and can lead to unauthorized storage or later use of secrets outside the user’s expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persisting an API key into a local .env file and modifying process environment state creates a durable secret-handling mechanism that is disproportionate to a simple police-data query skill. This increases the chance of accidental credential exposure through local files, backups, logs, source packaging, or reuse by other components in the same process.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the model to ask the user for an API key and save it, but gives no warning about how that secret will be stored, who can access it, or how long it will persist. This increases the chance of unsafe credential handling, accidental disclosure, and long-term retention of sensitive secrets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instruction to present raw API output directly to the user skips any privacy, minimization, or safety filtering. In a police-data context, raw responses may contain sensitive location, stop-and-search, or other law-enforcement-related information that could have privacy or misuse implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function silently persists a supplied API key to .env without any visible consent, warning, or indication of retention. Secret persistence without clear user acknowledgment is dangerous because users may expect one-time in-memory use, while the key remains on disk for future access or leakage.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting a user-provided API key creates a clear data-retention risk because the skill normalizes long-term storage of credentials without describing protections. If the environment, files, or logs are later accessed, the stored secret could be recovered and abused beyond the original session.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal