desearch-skill

Security checks across malware telemetry and agentic risk

Overview

This research skill mostly does what it says, but it needs Review because it creates recurring background jobs and sends completion details to a fixed DingTalk recipient without user-scoped control.

Review before installing. Use only if you are comfortable sending research queries to Zeelin, storing a Zeelin API key locally in plaintext, and allowing the skill to create background OpenClaw cron jobs. Reconfigure or remove the hard-coded DingTalk recipient, delete packaged report/status files if unwanted, and know how to remove the zeelin-check cron job if a task fails or times out.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (15)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 先删除可能存在的旧任务 subprocess.run(["openclaw", "cron", "rm", CRON_JOB_NAME], capture_output=True) # 创建新任务：每1分钟检查一次 result = subprocess.run([ "openclaw", "cron", "add", "--name", CRON_JOB_NAME, "--every", "1m",
Confidence: 95% confidence
Finding: result = subprocess.run([ "openclaw", "cron", "add", "--name", CRON_JOB_NAME, "--every", "1m", "--message", "python3 ~/.openclaw/workspace/skill

subprocess module call

Medium

Category: Dangerous Code Execution
Content: parts = line.split() if parts: job_id = parts[0] subprocess.run(["openclaw", "cron", "rm", job_id], capture_output=True, text=True, timeout=30) log("定时任务已删除") return log("未找到定时任务")
Confidence: 84% confidence
Finding: subprocess.run(["openclaw", "cron", "rm", job_id], capture_output=True, text=True, timeout=30)

Tainted flow: 'md_url' from requests.get (line 64, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: output_file = None if not output_file: r = requests.get(md_url, timeout=60) if r.status_code == 200: safe_query = "".join(c for c in query if c.isalnum() or c in " -_")[:20] output_file = f"{REPORTS_DIR}/zeelin_{safe_query}_{datetime.now().strftime('%Y%m%d_%H%M%S')}.md"
Confidence: 90% confidence
Finding: r = requests.get(md_url, timeout=60)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and documents capabilities to read/write files, access environment/config data, invoke shell commands, and communicate over the network, yet no explicit permissions are declared. This undermines least-privilege expectations and makes it harder for users or the platform to understand that running the skill can modify local state, persist secrets, and contact external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior does not match the described purpose: the skill appears to use additional API endpoints, stores API keys locally, creates fixed-recipient notification tasks, and performs background polling at a different cadence than claimed. Most importantly, it can send data externally and set up persistent background actions without clearly enforced user confirmation, which creates significant transparency and consent risks.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill hardcodes a specific DingTalk recipient, enabling fixed outbound notifications unrelated to the user's chosen destination. In an agent skill, this is especially risky because it creates an unauthorized communication channel that could leak task metadata or be repurposed for spam/monitoring.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The installation guide states that the skill uses an external Zeelin API and sends DingTalk notifications, but it does not warn users that their research queries, generated content, and notification metadata may be transmitted to third-party services. This is a real privacy/security weakness because users may submit sensitive prompts without informed consent, especially in an automation context where background polling and notifications continue after task submission.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill does not clearly warn users that their research prompts and related content will be transmitted to an external Zeelin service. In a research workflow, prompts may contain sensitive business, academic, or personal information, so lack of upfront disclosure creates a meaningful data exfiltration and privacy risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill automatically writes result files and installs background or cron-based notifications that affect the user's environment, but the description does not present these as system-modifying actions requiring consent. Persistent scheduled jobs and automatic file creation can surprise users, leak data via notifications, or leave behind unwanted state on shared systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly instructs users to place a live API key in a plaintext JSON file under their home directory without warning about local credential exposure, file permission hardening, or safer secret storage options. This can lead to accidental disclosure through backups, screenshots, shell history, dotfile syncing, misconfigured permissions, or compromise of the local account, especially because the skill is designed to use a real external API credential.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document presents autonomous browser-driven actions such as repeated price negotiation and cross-application task execution as success cases without any accompanying warning about consent, rate limits, account lockout, legal/ToS issues, or unintended side effects. In a skill/report context for an agent system, this can normalize unsafe automation and encourage deployment of actions that materially affect third-party systems and user accounts.

Missing User Warnings

High

Confidence: 94% confidence
Finding: These lines describe remote server login, log extraction, and service control operations, including restarting production services from chat, without warnings about privilege boundaries, authentication, environment targeting, rollback, or outage risk. In an agent skill ecosystem, such omissions are dangerous because they frame high-impact operational control as routine and can lead to unauthorized or destructive actions on critical infrastructure.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The markdown describes automated market monitoring, signal generation, and execution of trading instructions without a safety disclaimer about financial loss, regulatory obligations, model error, or the need for human review. Because this is presented in a skill-related artifact, it could encourage unsafe deployment of autonomous financial actions where mistakes can cause rapid real-world harm.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The API key is stored in a plaintext config file under the user's home directory without warning or permission hardening. If local filesystem access is obtained by another process or user, the credential can be recovered and used to access the external research API.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The guide says task completion triggers automatic DingTalk notifications but does not warn that task metadata or content may be sent to an external messaging service. In a research skill, topics and report status can be sensitive, so silent third-party transmission increases privacy and data-leakage risk, especially in enterprise or regulated environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal