ClawHub

Search Movie

Security checks across malware telemetry and agentic risk

Overview

This movie search skill appears purpose-aligned, but it stores the user-provided API key in a local .env file and sends requests to a remote provider.

Install only if you are comfortable using xiaobenyang.com as the remote provider and storing its API key locally in a plaintext .env file. Use a dedicated key for this service, avoid entering unrelated credentials, and remove or rotate the key if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented behavior clearly involves reading environment variables, writing configuration to local files, and making network requests to a remote service. This under-specification is dangerous because users and hosting platforms cannot accurately assess or constrain what the skill will do, especially when it also handles secrets and reaches external infrastructure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a multi-source movie/TV search tool, but the documentation indicates it stores API keys locally and depends on a fixed third-party remote service rather than clearly implemented multi-source behavior. This mismatch can mislead users about both the data-handling risks and the trust boundary, causing them to disclose credentials and send queries to an external service they did not expect.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The settings class is configured with the prefix XBY_GAOKAO_, but the post-init logic bypasses that convention and directly reads XBY_APIKEY from .env and the process environment. This inconsistency can cause operators to believe one secret source is used while the code actually consumes another, leading to accidental secret exposure, misconfiguration, or use of an unintended credential.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the model to collect an API key from the user and save it without an explicit warning that the credential will be persisted locally. This is dangerous because users may disclose a secret assuming one-time use, while the skill actually creates ongoing credential retention risk and potential exposure through local files or subsequent reads.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function persists an API key into a local .env file automatically, with no confirmation, warning, or permission controls. Storing secrets on disk can expose them to other local users, accidental commits, backup leakage, or disclosure through support bundles and logs.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill creates a natural-language flow for requesting, receiving, and retaining a sensitive secret from the user. Embedding secret collection in conversational instructions is risky because it normalizes credential disclosure to the model layer and increases the chance of accidental logging, reuse, or insecure storage.

Ssd 3

Medium
Confidence
96% confidence
Finding
The documented workflow explicitly requires checking for a missing key, asking the user for it, and saving it for later use, establishing persistent credential handling as a normal operational step. In this skill context, that is more dangerous because the tool also performs network operations to a third-party service, creating both local secret-retention risk and external trust-boundary risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal