ClawHub

OpenAI Auth Switcher Public

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate OAuth account-switching purpose, but it exposes and persists sensitive auth-management material too broadly for a public install.

Install only on a private, trusted machine and only for accounts you are authorized to manage. Keep the web UI bound to localhost, avoid CI/shared terminals, treat generated passwords, install-info.json, callback files, exported auth profiles, backups, and logs as secrets, and disable or uninstall the service when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises and orchestrates scripts that can read environment state, inspect and write files, invoke shell entrypoints, and potentially expose a web bootstrap, yet it declares no permissions. That mismatch is dangerous because operators or platforms may grant trust based on the manifest while the skill still performs sensitive actions related to OAuth switching, runtime inspection, backups, and packaging.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer prints the generated or active web login username and password directly to stdout. In practice, stdout is often captured by terminal scrollback, shell history wrappers, CI logs, remote session transcripts, or support recordings, so this leaks secrets beyond the intended operator. Given this is described as a publishable, release-safe skill, exposing runtime credentials is especially unjustified and increases risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script imports and writes a live authentication profiles file directly into the detected runtime location, which can overwrite or inject active credentials into the environment. In the context of a skill advertised as publishable and release-safe, providing a workflow that handles live auth snapshots increases the chance of accidental credential transfer, misuse, or account takeover if an untrusted file is supplied.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The runtime summary reads local session `.jsonl` files and returns matching log lines, which can expose sensitive runtime data beyond minimal health/status checks. In an auth-switching skill, session logs may contain account identifiers, callback URLs, provider details, error traces, or token-adjacent metadata, so this expands data collection beyond what is necessary.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The version/mode gate checks for mode 'hourly-daily-archive-rollup-v1', but freshly initialized ledgers are created with mode 'timestamp-switch-attribution-v1'. As a result, an existing freshly created ledger will be treated as incompatible on the next run and reinitialized, which can repeatedly discard attribution state and processed key history, leading to incorrect accounting and potential loss of auditability.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The UI explicitly exposes import/export operations for live authorization artifacts, which increases the chance that sensitive OAuth/session material will be copied, exfiltrated, or mishandled. In a tool meant to be publishable and release-safe, adding direct auth-file handling materially broadens the attack surface and undermines the stated packaging boundary around runtime secrets.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The page renders the install username, password, local URL, state directory, service state, and log path directly into the browser and also embeds the Basic Auth credentials into client-side JavaScript. Any authenticated viewer, shoulder-surfer, browser extension, cached page, or XSS issue would gain reusable credentials and operational details that facilitate further compromise. This is especially dangerous because the application manages account-switching and OAuth material, so these disclosed secrets directly protect high-value auth state.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The advanced import endpoint accepts an arbitrary user-supplied source path and passes it to auth import logic, creating a path-based file access primitive against sensitive authentication material. Even if intended for convenience, allowing a web client to request server-side imports from arbitrary filesystem locations can expose or copy unrelated secrets into managed channels and is inconsistent with a public, release-safe workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The design explicitly requires generating admin credentials, printing the password to install output, and storing credentials in a local state file, but it does not require protections such as restrictive file permissions, redaction from logs/history, one-time display, rotation, or user warnings. In SSH-only and multi-user Linux environments, install output may be captured in shell history, CI logs, terminal scrollback, or support transcripts, and a readable local state file could expose the web admin account to other local users or operators.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes an endpoint that imports an auth profile from an absolute filesystem path and copies it into the active runtime auth location, effectively replacing or altering authentication state. In the context of an account-switching/takeover workflow, this can enable credential overwrite, unintended account takeover, or disruption of existing credentials if exposed or used incorrectly, and the lack of explicit warnings or guardrails increases the likelihood of unsafe use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints newly generated credentials, including the password, directly to stdout in both plain and JSON forms. In automation, CI logs, terminal recording, shell history capture, or shared operator environments, this can disclose sensitive credentials to unintended parties and create an avoidable secret-handling exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script collects and prints sensitive runtime metadata including account identifiers, token/profile usage details, filesystem locations, provider configuration, service status, and excerpts from recent session logs. In the context of an auth-switching skill, this materially increases exposure because the output can reveal environment structure and authentication state that an attacker, malicious downstream tool, or leaked log artifact could use for targeting, correlation, or follow-on credential abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer generates credentials, service metadata, and connection details, then persists them via `save_install_info(...)` without any visible warning about sensitive local storage. In a skill handling authentication switching, silently writing credentials and runtime state to disk increases the risk of credential disclosure through weak file permissions, backups, shared accounts, or later log/artifact collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes and enables a user systemd unit, creating persistence across sessions, without any explicit user-facing disclosure or confirmation. In the context of an auth-switching web app, silent persistence is more sensitive because it leaves a long-running local service that could expose credentials or management interfaces beyond the user's immediate awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code reads local session files and returns portions of their contents without any user-facing notice, consent, or redaction. Because session logs often contain sensitive operational and authentication context, exposing even selected lines can leak private data to downstream components or logs.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This function imports authorization data from an arbitrary file path and persists the extracted profile to auth-profile.json on disk without any consent prompt, sensitivity labeling, permission hardening, or audit controls in this file. Because the skill is explicitly about OAuth account switching, it handles live authentication artifacts, so silent storage of credentials increases the risk of accidental credential exposure, misuse, or cross-account compromise on shared systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The full OAuth callback URL is written to disk in `callback.txt` without redaction. OAuth callback URLs commonly contain authorization codes and state values; persisting them in plaintext can expose reusable secrets to other local users, backup systems, logs, or later compromise of the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal