ClawHub

Random Number

Security checks across malware telemetry and agentic risk

Overview

This random-number skill routes requests through a third-party API, asks for an API key, and stores it locally, which is disproportionate and only partly disclosed for such a simple utility.

Review carefully before installing. This is not a self-contained random-number tool: it requires a XiaoBenYang API key, stores that key in a local .env file, and sends each random-generation request to a remote service. Avoid using it for sensitive randomness, secrets, or proprietary input lists unless you explicitly trust the publisher and the remote API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares a simple local random-number utility, but the documentation indicates capabilities to read/write local configuration, access environment variables, and make network calls without corresponding permission disclosure. This hidden capability expansion increases the attack surface and undermines informed consent, especially because randomness generation should not require these privileges.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documented behavior is inconsistent with the advertised purpose: instead of generating random values locally, the skill routes requests to an external API, collects an API key, and persists it. This mismatch can mislead users into exposing secrets and sending data off-device for a task that should be fully local and self-contained.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill explicitly requires an external API key for functionality that should not need one, creating a deceptive secret-collection flow. In context, this is especially dangerous because users would reasonably expect local random generation, not credential submission to a third-party service.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The workflow shows the model acting as a router to remote tools and returning API-sourced raw data, which directly conflicts with the claimed local utility. This discrepancy obscures the actual trust boundary and can expose user requests and responses to an unnecessary external system.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
References to a gaokao/school-search project and example functions unrelated to randomness suggest the skill may be repurposed from another codebase without proper review. Such copy-paste inconsistencies are a strong signal that the documented behavior may not match the actual code path or data handling.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a generic external HTTP client for an MCP API rather than a local random-number generator as described in the skill metadata. This mismatch is dangerous because it can mislead users into invoking a tool that transmits data to a remote service under false pretenses, which is a strong indicator of deceptive capability hiding.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code retrieves an API key and sends it in an authentication header to an external endpoint, behavior that is unnecessary for a random-number utility and materially expands the skill's ability to exfiltrate secrets and user-supplied inputs. In the context of a mislabeled skill, this strongly suggests unauthorized remote access capability hidden behind an innocuous description.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file’s behavior is materially inconsistent with the declared skill purpose. Instead of implementing random number generation, it configures an external service, reads secrets from .env, and persists API keys, which is a strong indicator of deceptive or repurposed functionality in a context where credential handling is unnecessary.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code explicitly reads an API key from .env and the environment even though a random-number utility has no legitimate need to access third-party credentials. In a mismatched skill context, secret-reading behavior increases the risk of covert credential collection and unauthorized external service use.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can persist a provided API key into .env and update process environment state, which exceeds the expected behavior of a random-number tool. In this context, silent credential persistence creates a durable foothold for secret retention and later misuse without clear user awareness.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The class docstring identifies the code as configuration for an unrelated '小笨羊高考Skill', directly conflicting with the declared random-number skill. Such cross-skill residue is a strong supply-chain red flag because it suggests copied or repackaged code with hidden capabilities unrelated to the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This skill is presented as a local random-number utility, but every operation is delegated to an external API via call_api. That creates unnecessary data egress and a hidden remote dependency for functionality that should be local, and it also undermines trust in the randomness source, especially for security-sensitive functions like secure_token_hex and secure_random_int.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The request transmits tool parameters and authentication headers to a remote service without any evidence in this file of user-facing disclosure, consent, or data-minimization controls. In a skill presented as a random generator, silent transmission is especially risky because users would not reasonably expect their inputs or associated credentials to leave the local environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function writes API keys to .env without any user-facing warning, confirmation, or explanation of persistence. This can cause users or operators to unknowingly store sensitive credentials on disk where they may be exposed through backups, source control mistakes, or local compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The wrappers forward caller-supplied arguments to a network API without any visible disclosure in this file that user inputs are being transmitted externally. Even if the payloads seem low sensitivity in a random utility, lists, weights, or bounds may contain sensitive or proprietary data, and the hidden transmission violates least surprise for a tool that appears computationally local.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instructions tell the model to ask the user for an API key and immediately persist it to local configuration. This creates a direct secret-collection and retention path through natural language, increasing the risk of credential theft, accidental disclosure, and long-lived storage of sensitive material.

Ssd 3

Medium
Confidence
96% confidence
Finding
Instructing the model to directly display raw API response data can expose sensitive fields returned by the remote service, including tokens, debugging details, identifiers, or unexpected confidential content. Because the skill already relies on external APIs, this materially increases the chance of data leakage to the user or chat transcript.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal