ClawHub

Hugeicons

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be advertised as an icon helper but contains unrelated Gaokao/Xiaobenyang service wiring and under-disclosed API-key persistence.

Install only if you understand that this package may contact an unrelated Xiaobenyang/Gaokao backend rather than just an icon service. Do not paste an API key unless you are comfortable with it being stored locally in plaintext, and review or remove the .env entry after testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The workflow example references `search_schools` and a gaokao/school-query flow inside a skill presented as an icon integration service. This inconsistency strongly suggests copy-paste contamination or hidden unrelated functionality, which can cause the agent to route user requests into unintended tools or external services not relevant to icons.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented project structure names a different skill, `xiaobenyang_gaokao_skill`, rather than the stated Hugeicons service. This undermines provenance and trust, and may indicate that the packaged codebase contains unrelated modules, increasing the risk of unexpected data handling or calls to the wrong backend.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file implements a reusable client for a generic upstream '小笨羊MCP' API rather than a narrowly scoped Hugeicons integration. In the context of an icon service, this broad upstream capability increases the attack surface and can enable unintended access to unrelated remote functionality if other parts of the skill can influence mcp_id, tool_name, or params.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The call_tool method accepts arbitrary tool_name and params and forwards them directly to the upstream API with authentication headers. For a skill described as an icon integration service, this is an unjustified capability expansion that could let an attacker invoke unintended upstream tools or abuse privileged API access beyond the advertised purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The configuration clearly targets a different service ('小笨羊高考') than the declared Hugeicons icon integration skill, including a different base URL, MCP identifier, and environment prefix. This mismatch is dangerous because it can silently redirect the skill to an unrelated external service, causing unintended data flows, broken trust boundaries, and possible credential misuse in a context where users expect only icon-resource functionality.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements storage and retrieval of an external API credential even though the skill is described as an icon integration service with limited scope. In this context, undocumented credential management expands the attack surface and can lead to secret persistence or reuse for an unrelated backend without clear user awareness.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code declares an env prefix of 'XBY_GAOKAO_' but then manually reads and prioritizes a different variable, 'XBY_APIKEY'. This inconsistency can bypass expected configuration controls, confuse operators, and cause secrets to be loaded from unexpected sources, increasing the chance of misconfiguration or accidental credential exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to ask the user for an API key and persist it via `set_api_key(api_key)` without disclosing storage location, retention, masking, or security protections. Collecting secrets through conversational flow and saving them locally can expose credentials to logs, prompts, shared environments, or other processes if not carefully controlled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function writes the API key in plaintext to a local .env file and updates process environment state without any disclosure, consent, or warning at the point of persistence. This is dangerous because users or operators may assume a temporary in-memory setting while the code actually creates a durable secret on disk, which can later be read, committed, or exfiltrated.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal