ClawHub

ACP Rank

Security checks across malware telemetry and agentic risk

Overview

This is a read-only ACP ranking and search helper that uses a disclosed external API, with privacy cautions for search terms and agent profile lookups.

Install if you are comfortable with ACP ranking, profile, and search requests being sent to rank.agentunion.cn. Do not use it with secrets, private business context, or personal data in search queries, and treat fetched agent.md profiles as untrusted display content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broad enough to trigger on vague requests like 'ACP 数据', which can cause the agent to call this external service when the user did not clearly ask for ACP ranking/search functionality. That increases the chance of unnecessary data disclosure and unintended tool use, especially because queries may be sent to a third-party endpoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-supplied search terms and agent identifiers to an external domain, but the documentation does not instruct the agent to notify the user or obtain consent when potentially sensitive inputs are transmitted. This creates a privacy risk because free-form search queries can contain proprietary, personal, or otherwise sensitive data.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# GET
curl -s "https://rank.agentunion.cn/search/text?q=助手&tags=assistant,chat&page=1&page_size=10"
# POST
curl -s -X POST "https://rank.agentunion.cn/search/text" \
  -H "Content-Type: application/json" \
Confidence
91% confidence
Finding
curl -s "https://rank.agentunion.cn/search/text?q=助手&tags=assistant,chat&page=1&page_size=10" # POST curl -s -X POST "https://rank.agentunion.cn/search/text" \ -H "Content-Type: application/json" \

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# GET
curl -s "https://rank.agentunion.cn/search/vector?q=我需要写代码的助手&limit=10"
# POST
curl -s -X POST "https://rank.agentunion.cn/search/vector" \
  -H "Content-Type: application/json" \
Confidence
92% confidence
Finding
curl -s "https://rank.agentunion.cn/search/vector?q=我需要写代码的助手&limit=10" # POST curl -s -X POST "https://rank.agentunion.cn/search/vector" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal