ClawHub
Back to skill

Security audit

rednote-contacts

Security checks across malware telemetry and agentic risk

Overview

The skill’s crawler behavior is coherent, but it can expose browser/proxy credentials and session-related details through command strings and persisted job metadata.

Install only if you trust the red-crawler binary and will use a private workspace. Avoid putting real browser_auth or proxy credentials into this skill unless you accept that they may appear in command output, job JSON, logs, or status results. Keep Playwright storage-state files, job directories, logs, and databases out of shared folders and version control, and review bootstrap flags before allowing dependency or browser installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with stdout_path.open("a", encoding="utf-8") as stdout_handle, stderr_path.open(
            "a", encoding="utf-8"
        ) as stderr_handle:
            process = subprocess.Popen(
                job["argv"],
                cwd=job["workspace_path"],
                stdout=stdout_handle,
Confidence
82% confidence
Finding
process = subprocess.Popen( job["argv"], cwd=job["workspace_path"], stdout=stdout_handle, stderr=stderr_handle,

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill's stated purpose is running an installed crawler for contact discovery, but it also exposes bootstrap, installation-adjacent, and job-control capabilities. This scope expansion increases attack surface by allowing callers to manipulate environment state and long-running processes beyond the narrowly described business function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The bootstrap flow can run 'uv sync' and browser installation commands even though the skill description says it runs an installed CLI. Allowing dependency synchronization or browser installation lets a caller trigger environment mutation and execution of package-install hooks, increasing supply-chain and code-execution risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill forwards sensitive values such as browser_auth, proxy credentials, and related connection parameters directly into child-process arguments. Command-line arguments are often exposed through process listings, logs, crash reports, and persisted metadata, so secrets may be disclosed to other local users or stored unintentionally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The job metadata persisted to disk includes the full resolved request and full argv, which can contain storage_state paths, browser_auth, proxy credentials, and other operationally sensitive values. Because these files are written into the workspace and later exposed via job-status mechanisms, the skill creates a durable local secret leakage channel.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal