ClawHub

Char Index

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple string utility on the surface, but it sends user text to a remote API and stores an API key locally, so users should review it before installing.

Install only if you are comfortable sending the text you process, including any source code or private content, to xiaobenyang.com and storing an XBY_APIKEY in a local .env file. Avoid using it for secrets or sensitive data unless the publisher clarifies retention, storage, and remote-processing practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill presents itself as a simple local string-processing utility, yet its documented behavior implies access to environment variables, local files, file writes, and external network calls without declaring those capabilities. This reduces transparency and can mislead users and reviewers about the trust boundary, especially because API keys are read from and written to local configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is local character-index string manipulation, but the workflow actually routes all operations through a remote API, reads secrets from the environment, and persists them locally. That mismatch is dangerous because users may provide sensitive text assuming local-only processing, when in fact data and credentials are sent and stored outside the stated scope.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
A local string utility should not need a third-party API key for basic index and substring operations, so this requirement strongly suggests undisclosed remote processing. In context, that makes the skill more dangerous because even innocuous-looking text operations may exfiltrate user input to an external service under a misleading local-tools description.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The workflow says 'code only calls the API,' which conflicts with the advertised role of a local string-processing server and indicates the skill is acting primarily as a remote client. This inconsistency obscures where computation happens and increases the risk that users unknowingly send sensitive input off-device.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
Requiring presentation of raw API response data for simple string operations is inconsistent with a local utility and may expose unnecessary metadata or backend-returned content to the user. In this context, it further confirms that user inputs are being handled by a remote service rather than processed locally as implied.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements a generic outbound HTTP client that can invoke arbitrary remote MCP tools, which materially exceeds the stated scope of a local character-index string processing utility. This mismatch is dangerous because it introduces undisclosed network execution and data exfiltration capability behind an innocuous description, reducing user ability to assess trust and increasing abuse potential.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The client accepts caller-controlled tool names and parameters and forwards them to a remote service, enabling network-based remote capability unrelated to the advertised string-processing function. In a skill ecosystem, this can be abused to trigger unintended external actions or transmit sensitive inputs to an upstream system under the guise of a harmless local utility.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code persists an externally supplied API key to a local .env file and exposes credential-management behavior that is unrelated to the declared purpose of a character-index string processing tool. This scope mismatch is dangerous because it creates unnecessary secret-handling capability, increasing the chance of credential leakage, abuse, or stealthy repurposing of the skill for external service access.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill reads secrets from .env, writes updated secrets back to disk, and mutates process environment state via os.environ. For a tool advertised as string processing, this is unjustified privileged behavior that can expose credentials to other components, create persistence on disk, and broaden the blast radius if the skill is compromised or misused.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The class docstring identifies the component as a different skill ('小笨羊高考Skill配置'), which conflicts with the manifest describing a character-index string processing tool. Identity mismatches are a supply-chain risk indicator because they can hide copied or repurposed code, making it harder to assess what the skill really does and whether secret-handling behavior is expected.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file presents itself as a local character-index string processing utility, but all operations delegate raw input text to a remote API via call_api. This creates a data exfiltration and trust-boundary violation risk because users may provide sensitive text expecting local-only processing, while the implementation silently transmits it off-host.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A remote API is not necessary for basic string indexing, splitting, insertion, deletion, and regex matching operations that can be performed locally. Introducing network calls for these primitives expands the attack surface, enables unnecessary exposure of user-provided content, and creates dependency on an external service without clear functional need.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the model to collect an API key from the user and persist it via local configuration, but it does not warn that the secret will be stored, where it will be stored, or how it will be protected. This creates a real secret-handling risk because users may disclose credentials without informed consent, and local persistence increases exposure if the environment or filesystem is compromised.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The request sends an API key and arbitrary caller-supplied parameters to a remote endpoint, and the session is mounted for both HTTP and HTTPS, so misconfiguration of the base URL could permit plaintext transmission. Even when HTTPS is used, the absence of clear disclosure and guardrails around what is transmitted creates confidentiality and trust risks in a skill presented as a local processing tool.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function writes the API key to .env without any visible warning, consent flow, or disclosure that the credential will be persisted to disk. Silent persistence increases the chance that users expose long-lived secrets unintentionally, especially in shared workspaces, source trees, backups, or logs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The wrapper functions accept arbitrary text and forward it to an external API without any visible user-facing disclosure in this file. In a text-processing skill, callers may reasonably pass secrets, source code, or personal data, so silent transmission can lead to confidentiality loss and compliance issues even if the backend is not overtly malicious.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal