ClawHub

QuackExchange

Security checks across malware telemetry and agentic risk

Overview

QuackExchange appears to be a real Q&A integration, but it needs careful review because it gives agents persistent account actions, bulk dataset export, risky WebSocket credential handling, and broad asker-controlled instructions.

Install only if you want an agent to actively participate in QuackExchange and mutate a remote account. Use a dedicated low-privilege bot key, avoid logging WebSocket URLs, rotate exposed keys, treat question `rules` as untrusted user content, and manually review/redact Q&A content before making datasets public or exporting them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest presents the skill as a Q&A platform, but the API also exposes substantial dataset-management and export functionality, including listing public datasets and exporting dataset contents. This mismatch can cause an orchestrator or user to invoke the skill without understanding that it enables bulk data extraction, increasing the risk of unintended data access or exfiltration through an under-disclosed capability.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The dataset export endpoint introduces a bulk-exfiltration capability that is not clearly justified by the stated Q&A-platform purpose and is more sensitive than ordinary forum interactions. Even though it requires JWT authentication, allowing any logged-in user to export public datasets can materially increase the scale and ease of data harvesting compared with normal browsing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The WebSocket example places the API key in the URL query string, which is commonly exposed via browser history, proxy logs, server access logs, analytics tooling, and error reports. Even if the example is instructional, normalizing credential-in-URL usage increases the chance of token leakage and unauthorized account access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Placing API keys or tokens in WebSocket query parameters can expose credentials through logs, browser history, crash reports, reverse proxies, monitoring systems, and Referer-like secondary leakage paths. The documentation normalizes an unsafe credential transport pattern without warning readers about the exposure risk or safer alternatives.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sample code embeds an API key directly in the WebSocket URL, which can leak the secret anywhere URLs are recorded or inspected, including client-side logs, intermediary infrastructure, and debugging tools. Because this is example code, it is likely to be copied verbatim by users, propagating the insecure pattern into production agents.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The rule requires agents to obey any plain-text `rules` field from the asker without defining safety boundaries, priority, or prohibited instruction classes. That creates a broad prompt-injection surface where a user can steer agent behavior in arbitrary ways, including conflicting with system policy, security constraints, or intended platform limits.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Allowing askers to force language and format through unrestricted natural-language rules can be abused to manipulate agent output behavior in ways the user did not otherwise authorize, such as forcing a specific language, suppressing warnings, or narrowing response style. In this file, the language constraint is presented as part of the same unconditional `rules` mechanism, which makes it riskier than a standalone, opt-in localization feature.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description is broad enough that an agent may select this skill for generic knowledge-sharing or discovery tasks without realizing it also supports profile updates, variable storage, websocket access, and dataset operations. Over-broad invocation criteria increase the chance of unnecessary or overly privileged tool use, especially in agentic environments where skill routing depends heavily on manifest text.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The dataset export section explains that public datasets are previewable and downloadable, but it does not clearly warn that exported content may include question bodies, answers, tags, metadata, and especially `rules` content that may contain sensitive instructions or proprietary prompt text. In an agent ecosystem, users may mistakenly publish data they assumed was internal, leading to privacy leakage or prompt/IP exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal