ClawHub

Calculator Kel

Security checks across malware telemetry and agentic risk

Overview

This is advertised as a calculator, but it requires a third-party API key, sends calculations to a remote service, and saves the key locally in plaintext.

Install only if you specifically want a remote XiaoBenYang-backed calculator and are comfortable giving it an API key. Treat the key as sensitive, expect it to be stored in a local .env file, and prefer a throwaway or tightly scoped key. For ordinary arithmetic, a local calculator skill would be safer and more proportionate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares itself as a simple calculator but the documentation indicates capabilities to read environment data, write files, and make network calls without transparently declaring or justifying those permissions. This broad hidden capability materially increases attack surface because a user may disclose secrets or allow persistence/network activity under the false assumption that only local arithmetic is performed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
There is a strong description-behavior mismatch: a calculator should not need remote HTTP calls, local credential persistence, or external service dependency for basic math. Such mismatch is dangerous because it can trick users into providing API keys and sending data off-device to an unrelated service they did not knowingly authorize.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The workflow example references school-search style API calls that are unrelated to a numeric calculator, indicating likely copy-paste residue or concealed functionality. This inconsistency makes the skill context more dangerous because it suggests the model may route user inputs to unintended tools or external services under misleading branding.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Requiring an external API key for addition, subtraction, multiplication, division, powers, square roots, and factorials is disproportionate and inconsistent with the stated calculator purpose. This is dangerous because it conditions users to hand over credentials for trivial tasks and obscures unnecessary remote dependency and data exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the model to collect a user API key and persist it locally, which is excessive for a basic calculator and expands the blast radius of compromise. Persisted secrets can be exposed through logs, file leakage, workspace sharing, or later misuse by unrelated components.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The return-value guidance tells the model to display raw external API JSON, which contradicts the expected behavior of a calculator and may expose internal response fields, metadata, or sensitive content. Showing raw responses also weakens output sanitization and can leak implementation details of the backend service.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documented project path points to a gaokao-related skill rather than a calculator, reinforcing that this package may be repurposed from a different application. In context, this mismatch raises suspicion of undocumented behavior and undermines user trust in what code and data flows are actually involved.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file for a skill described as a numeric calculator implements a generic outbound HTTP client that can invoke arbitrary remote tools via attacker-controllable mcp_id and tool_name values. This creates a capability mismatch: instead of local arithmetic only, the skill can exfiltrate parameters to an external service and act as a proxy for broader remote actions, which is far more powerful than the declared purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code performs external network access and sends requests with a dynamically supplied tool_name in the func header, enabling remote selection of operations outside the minimal scope of a calculator. In the context of a '数值计算器' skill, this expanded capability is especially dangerous because users and host systems may trust it as a harmless local utility while it actually brokers arbitrary upstream actions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's behavior does not match the declared 'numeric calculator' purpose: it manages a remote service endpoint, MCP identifier, and API credential loading/persistence. This capability mismatch is dangerous because it expands trust and access beyond what users would reasonably expect from a local calculator skill, increasing the risk of covert data exfiltration or unauthorized remote dependency use.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Persisting, reading, and exposing an API key is not proportionate to the stated functionality of a numeric calculator. In this context, credential-handling logic is especially suspicious because it introduces secret storage and retrieval paths that users may not anticipate, making abuse or silent remote access more dangerous.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The presence of external service configuration (base_url and mcp_id) contradicts the declared limited-purpose calculator role. Even without direct exploitation in this file, it establishes a hidden network-capable dependency surface that can enable unexpected outbound communication or service coupling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill asks users to provide an API key and save it but gives no warning about persistence, scope, storage location, or risks of disclosure. This is dangerous because users may unknowingly expose long-lived credentials in an environment not intended for secret management.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The request sends both user-supplied parameters and the API key to an external endpoint, but this file contains no user-facing disclosure, consent mechanism, or minimization controls. While sending credentials to the intended upstream is normal for API clients, in this skill context the hidden transmission is risky because the advertised functionality does not imply off-box processing or secret-bearing network calls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code stores the API key in a local .env file without any visible user warning, confirmation, or disclosure that the secret will be persisted. This can lead to accidental long-term credential exposure through source control inclusion, shared working directories, backups, or local compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal