ClawHub

Xby Todolist

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed third-party to-do-list skill that sends task data to the XiaoBenYang API and stores its API key locally, with security caveats but no evidence of deception or destructive behavior.

Install only if you are comfortable using XiaoBenYang as a third-party task-memory provider. Do not store passwords, tokens, private customer data, or other sensitive material in todos, and remember that the API key will be saved in a local .env file as XBY_APIKEY rather than in an OS secrets manager.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The stated purpose is task management and external working memory, but the instructions pivot quickly into collecting a third-party API key and routing requests through an external API client. That mismatch is dangerous because it can mislead users and reviewers about the real data flow, causing them to reveal credentials to a skill whose declared function does not require them.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The workflow says the model should choose tools and that code only calls an API, yet the only documented tools are local todo operations. This inconsistency undermines user understanding of what actions will occur and can conceal unexpected external calls or data handling paths behind vague orchestration language.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file claims tools return raw JSON from an external API, but the listed tools are local task-management functions whose expected outputs should not be framed as raw third-party data. This mismatch increases the chance that a model will mishandle outputs, over-share internals, or make unsafe assumptions about what data should be displayed directly to the user.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill persists an API key into a local .env file even though the stated purpose is task memory and task management, not credential management. In an agent context, local secret persistence expands the trust boundary and can expose credentials to other tools, later runs, source-control mistakes, backups, or local users without clear necessity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code silently writes the supplied API key to .env and also mirrors it into the process environment, without any visible user-facing warning in this file. Secret persistence without clear disclosure is dangerous because users may assume the key is transient while it remains on disk for later exposure through repository commits, logs, file sharing, or other local access.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill instructs the model to ask the user for an API key, save it, and then continue processing, but it provides no safeguards for secure storage, least privilege, masking, or non-echoing of secrets. That creates a clear path for credential retention and accidental disclosure, especially when combined with later instructions to display raw returned data.

Ssd 3

Medium
Confidence
84% confidence
Finding
The repeated instruction to proactively capture user requirements into a persistent todo list encourages broad session logging of user-provided content. In a task-management context this can be legitimate, but without minimization or sensitivity checks it risks storing secrets, personal data, or transient context longer than needed.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instruction to directly organize and display raw API response data lacks any requirement to inspect, filter, or redact sensitive fields before showing them. If upstream responses contain secrets, identifiers, internal metadata, or unexpected content, the model may expose them verbatim to the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal