ClawHub

court-notice

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent court-notice workflow, but it automatically downloads sensitive legal documents, changes Calendar data, and installs persistent reminders with weak scoping and unsafe script generation.

Review carefully before installing. Only use this with trusted court links and after you are comfortable with it saving PDFs to your Desktop, writing case details and PDF URLs into Calendar, and creating LaunchAgent reminder files. Prefer a version that asks for confirmation, escapes AppleScript/plist values, uses native Calendar alerts instead of launchd, and removes or clearly documents any calendar-deletion behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(script)
    f.close()

    result = subprocess.run(['osascript', f.name], capture_output=True, text=True)
    subprocess.run(['rm', '-f', f.name])

    if result.returncode != 0:
Confidence
97% confidence
Finding
result = subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with open(plist_path, 'w') as f:
        f.write(plist_content)

    subprocess.run(['launchctl', 'load', plist_path], capture_output=True)

    return True
Confidence
92% confidence
Finding
subprocess.run(['launchctl', 'load', plist_path], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(script)
    f.close()

    result = subprocess.run(['osascript', f.name], capture_output=True, text=True)
    subprocess.run(['rm', '-f', f.name])
    return result.returncode == 0
Confidence
96% confidence
Finding
result = subprocess.run(['osascript', f.name], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill specifies shell execution and filesystem writes without declaring corresponding permissions, which hides its true capability surface from users and any policy or review layer. In this skill's context, those capabilities are used to download files to the desktop and create persistence-related artifacts, so the missing declaration meaningfully increases the risk of unauthorized local changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior materially differs from the implemented behavior, including undeclared deletion capability for calendar events and the absence of the promised automatic linkage between parsing and calendar creation. Security reviewers and users rely on the description to understand what the skill will do; when it is inaccurate, risky actions can be concealed and consent becomes uninformed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script installs a LaunchAgent in ~/Library/LaunchAgents for a reminder, introducing persistence beyond the obvious one-time task of creating a calendar event. In an agent skill advertised as 'zero prompts' and automatic processing, silently establishing persistence materially increases abuse potential and user surprise.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is broad enough that ordinary mentions of court SMS or PDF handling could activate the skill unexpectedly. Because the skill performs state-changing actions such as downloading files and creating calendar entries, accidental activation can cause unwanted system modifications based on untrusted or incidental content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises zero-popup, zero-manual-operation handling while automatically downloading a PDF, writing to a calendar, and installing a launchd plist for future reminders. These are sensitive, persistent, and externally influenced actions, so omitting clear risk disclosure and confirmation makes it easy for untrusted message content to drive system changes without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code is explicitly designed to create calendar events and install a reminder mechanism without any user warning or confirmation. In this skill context, silent modification of personal calendar data and background scheduling is security-relevant because it normalizes covert system changes and can be abused through crafted court notices.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The deletion helper removes calendar events matching a case number with no disclosure, confirmation, or preview of affected entries. Silent destructive behavior is risky in an automation skill because malformed or attacker-controlled input could cause unintended loss of legitimate calendar records.

Session Persistence

Medium
Category
Rogue Agent
Content
2. pypdf提取文本内容
3. 判断文书类型(传票/出庭通知→建日历,其他→仅汇报)
4. AppleScript直接写入"工作"日历(无弹窗)
5. launchd plist设置提前1天系统通知提醒
6. 生成文书概要报告
7. PDF存桌面回传用户
```
Confidence
89% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
时间格式:`YYYY-MM-DD HH:MM`(如 `2026-04-24 10:00`)

launchd plist存至 `~/Library/LaunchAgents/com.mm.court-{案号hash}.plist`

### 3. 下载PDF到桌面
```bash
Confidence
90% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
时间格式:`YYYY-MM-DD HH:MM`(如 `2026-04-24 10:00`)

launchd plist存至 `~/Library/LaunchAgents/com.mm.court-{案号hash}.plist`

### 3. 下载PDF到桌面
```bash
Confidence
90% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal