ClawHub

Daily Hot

Security checks across malware telemetry and agentic risk

Overview

This skill mostly behaves like a third-party news/trend API wrapper, but it also stores an API key in a local .env file and exposes arbitrary website crawling through the upstream service without enough scoping or privacy warning.

Install only if you are comfortable giving this skill a Xiaobenyang API key, storing that key locally in plaintext .env, and sending requested trend queries and crawl URLs to mcp.xiaobenyang.com. Avoid using the crawl tool on private, internal, or sensitive URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Exposing a generic website-crawling capability inside a news aggregation skill materially broadens the attack surface beyond the stated use case. In an agent context, arbitrary URL fetching can be abused for SSRF-like access to internal services, metadata endpoints, or unexpected destinations if downstream code does not enforce strict validation.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The configuration module includes API key persistence and mutation behavior that is not clearly justified by a hotspot aggregation service. This mismatch increases the risk of hidden credential-handling behavior being bundled into a skill whose declared purpose does not require local secret storage, making review and user consent harder.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill can persist an API key into a local .env file even though the stated aggregation purpose does not inherently require writing secrets to disk. Storing credentials locally expands exposure to accidental disclosure through filesystem access, backups, repository inclusion, or other local tooling.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The class docstring describes a different skill ('小笨羊高考Skill配置') than the declared hotspot aggregation service. This inconsistency is a strong supply-chain warning sign because it suggests code reuse, repackaging, or mislabeling that can conceal unexpected behavior such as unrelated credential handling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill exposes a generic crawl_website(url) capability that goes beyond narrowly scoped hotspot aggregation and allows user-directed retrieval of arbitrary remote content. In an agent context, this can be abused for unintended browsing, access to internal or sensitive endpoints if the backend has broader network reach, and data collection outside the declared purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes arbitrary website crawling without warning users about privacy implications, possible transmission of internal URLs, or how fetched content is handled. In an agent setting, missing disclosure makes risky network actions more likely to occur without informed consent, increasing the chance of sensitive data exposure or unintended requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes the API key to .env without any visible user-facing disclosure or warning that the credential will be stored on disk. Users may assume a transient configuration flow, while the implementation creates a persistent secret that can be exposed through local compromise, backups, or accidental commits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function performs network retrieval on a fully user-supplied URL, but the file shows no visible warning, confirmation, or policy guard around that action. In agent deployments, silent remote fetching can enable SSRF-style access, unexpected data exfiltration via outbound requests, or user confusion about what external resources are being contacted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal