ClawHub

日常小助手 MCP Server

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local daily-task MCP server, with ordinary task-file access and installer side effects that users should review before using auto setup.

Before installing, review src/setup.py and consider running the interactive setup instead of --auto if you want manual control. Back up editor MCP config files such as ~/.claude.json and ~/.cursor/mcp.json, and expect a local .venv, a daily-task data folder, config.json, and persistent MCP registrations in detected editors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"   ⏭️  fastmcp 已安装")
    else:
        print(f"   📦 安装 fastmcp...")
        result = subprocess.run(
            [str(venv_python), "-m", "pip", "install", "fastmcp"],
            capture_output=True,
            text=True,
Confidence
83% confidence
Finding
result = subprocess.run( [str(venv_python), "-m", "pip", "install", "fastmcp"], capture_output=True, text=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises operations that inherently require file reads, file writes, and shell execution, but it does not declare those permissions explicitly. This weakens informed consent and security review because users and hosts cannot easily understand the effective capabilities before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents the skill as a simple daily task assistant, but the described behavior includes broader capabilities such as reading full task/history content, rewriting files, creating environments, installing dependencies, and modifying AI editor MCP configurations. This mismatch can mislead users into granting trust to a tool that performs materially more sensitive actions than the summary suggests.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README documents an installer that does more than set up the task-management server: it probes the host for supported AI editors and modifies their MCP configuration files. That is a real security-relevant capability because it changes trusted client configuration on the user's machine, potentially expanding the server's reach beyond its stated task-management function and normalizing broad host-side modification during install.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Auto-detecting installed AI editors and editing their MCP config is a host-configuration capability that is not inherently required to manage daily tasks. In an MCP ecosystem, client config controls what servers an AI agent can access, so silently or broadly modifying those files can create trust-boundary issues, persistence, or unexpected exposure of the server to multiple agents/editors.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This initialization script performs environment creation, package installation, and editor auto-configuration, which is broader than the core task-management behavior described by the skill. Such setup-side effects increase trust requirements and attack surface because running the skill setup alters the local system and editor state automatically.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code detects multiple AI editors and writes MCP configuration entries into user home-directory config files automatically. In this context, that is more dangerous because a daily assistant should not need to silently persist itself across several unrelated developer tools; it creates cross-application persistence and modifies trusted configuration surfaces.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup command states that it will auto-configure the user's AI editor, but the instructions do not prominently warn that local editor configuration files may be detected and modified. Silent or poorly disclosed configuration changes increase the risk of unintended persistence, trust-boundary crossing, and installation of capabilities the user did not knowingly approve.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal