ClawHub

Ruankao Gaoxiang Prep

Security checks across malware telemetry and agentic risk

Overview

This study reminder skill is not clearly malicious, but it needs review because it can create persistent QQ scheduled agent messages from broad triggers and handles recipient IDs too loosely.

Install only if you want this skill to create a recurring QQ study reminder. Before enabling it, verify the recipient openid, avoid storing the config in /tmp or sharing logs/screenshots containing the openid, and inspect existing OpenClaw cron jobs so you know how to delete the reminder. For one-time chapter or vocabulary lookup, the skill should not create a scheduled job unless you explicitly confirm the reminder schedule and destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs reading local files such as `references/...` and `scripts/daily_push.py` behavior, but does not clearly declare corresponding permissions. Undeclared file-read capability weakens transparency and reviewability, which can enable data access beyond what users and platform reviewers expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The public description presents the skill as a study helper, but the instructions also configure cron jobs, target `qqbot`, and send messages to a user openid. This mismatch is dangerous because users may trigger persistent automated outbound messaging and external delivery without informed consent or clear disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims simple lookup/review functionality, yet a mandatory rule forces cron scheduling for broad prep-related requests. That design can convert ordinary informational queries into state-changing automation, increasing the risk of unwanted recurring messages and confusing user intent.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation is internally contradictory: one section says prep-related requests must schedule cron jobs, while later sections describe direct one-time answers for today's content, chapter queries, and vocabulary. Contradictory instructions make it easier for the agent to take unintended state-changing actions, especially in response to ambiguous user prompts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script creates a scheduled job that sends outbound QQ bot messages and triggers an agent turn automatically. Although this aligns with the skill's stated daily-push behavior, it still expands the skill from passive study assistance into persistent external message delivery and unattended execution, which increases abuse potential if the content generator or recipient is altered.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script enumerates existing cron jobs and can delete and recreate them, which grants broader control over platform scheduling than a study-prep skill strictly needs. Even though it attempts to target jobs by name, this pattern is risky because it normalizes modification of scheduler state and could be repurposed or misapplied to disrupt other jobs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to enter a QQ openid, which is an account identifier used for message delivery, but does not warn that it is sensitive or advise minimizing exposure. In practice, this can lead users to paste or store identifiers in shell history, screenshots, logs, or shared terminals, increasing privacy and misdelivery risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manual setup tells users to place their QQ openid and delivery configuration into a file under /tmp, a commonly shared and weakly controlled temporary location. Sensitive identifiers and routing details in /tmp may be readable by other local users, exposed through backups/debugging, or left behind after use.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad phrases such as “备考”, “英语单词”, and “章节重点”, which can match ordinary user conversation outside the intended soft-exam context. This can cause the skill to activate unexpectedly and generate unsolicited responses or workflows, increasing the chance of accidental data handling or user confusion when combined with automation features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions create an automatic scheduled push task and explicitly tell the user to obtain an openid from logs, but they do not clearly warn about the privacy and persistence implications. This is dangerous because users may unknowingly create recurring outbound messages and expose identifiers in logs or copied command history, which can be abused for unwanted messaging or privacy leakage.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and generic enough to activate on ordinary study-related conversation, increasing the chance of accidental invocation. In this skill, accidental invocation matters because activation can lead to cron setup and outbound messaging rather than a harmless informational reply.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The mandatory invocation rule uses sweeping wording like 'any related request' and requires cron usage, making activation boundaries ambiguous. Broad mandatory automation is risky because users asking for help or content may unintentionally authorize a persistent scheduled workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs creation of a scheduled reminder without a clear upfront warning that this produces ongoing automated messages to an external channel. This is dangerous because users may not realize they are authorizing persistent notifications, which can become spammy or privacy-impacting if sent to the wrong QQ account.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal