ClawHub

Last30days

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate recent-research skill, but it sends research topics and generated queries to AIsa and public data APIs.

Install only if you are comfortable sending research topics, generated subqueries, and source lookups to AIsa and public platform APIs. Avoid secrets, unreleased product names, sensitive personal data, or confidential investigations in prompts. Use a least-privilege GitHub token if enabling GitHub, restrict sources with --search when needed, and only use Xiaohongshu/local logged-in integrations if you intentionally want that account-backed source used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises and requires capabilities consistent with environment access, shell execution, file read/write, and network use, but it does not declare permissions explicitly. That weakens informed consent and sandbox enforcement in compatible harnesses, making it easier for a user or platform to underestimate what the skill can access and do during execution.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The runtime can contact an external Xiaohongshu HTTP API endpoint, including a default host.docker.internal address, despite the skill being described as AISA-only and not documenting this dependency. Hidden network dependencies increase attack surface and can unintentionally send requests to local or operator-controlled services, which is more dangerous in an agent skill that may run in varied environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file implements a secondary 'fun judge' path that scores items for humor, wit, and shareability, which is misaligned with the skill's stated purpose of producing evidence-based recent research briefs. In a research-ranking pipeline, such signals can bias selection toward entertaining or viral content over relevance and factual quality, degrading integrity of outputs and making the system easier to manipulate with slangy, meme-like, or engagement-optimized content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends user queries and related research data to external AIsa services and public-source APIs, but the description does not clearly warn users about that data flow. In a research skill, users may include sensitive company, product, or person-related queries, so missing disclosure increases the risk of unintended third-party data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function sends the user-provided query and date range to an external AIsa/Tavily service via `aisa.search_tavily(...)`, which is a real data-sharing boundary. Even though this appears necessary for the skill's purpose, the file contains no user-facing disclosure, consent check, or minimization of potentially sensitive query contents, so users may unknowingly transmit private research terms or personal data to a third party.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code sends the raw user-supplied topic to an external AISA/Tavily-backed search service via `aisa.search_tavily(...)`, which can expose sensitive user queries, company names, unreleased products, or investigative targets to a third party. In this skill's context, the whole purpose is external social/web research, so some outbound transmission is expected, but the absence of explicit consent, minimization, or redaction still creates a real privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal