ClawHub

Traditional Chinese Medicine Formulas Kg

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed remote knowledge-graph query tool, but it stores an API key in a local .env file and contains copied school-admissions identifiers that make its scope less clear.

Install only if you are comfortable giving this skill a Xiaobenyang API key, having that key stored in a local .env file, and sending graph queries to the remote Xiaobenyang MCP service. Rotate or remove the key if you uninstall the skill, and treat the gaokao/school-search references as a reason to review the package carefully before trusting it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The workflow example references unrelated school-search behavior inside a skill presented as a medicine knowledge graph. Such template leakage is a security concern because it indicates the author may have reused code/instructions without properly verifying what the skill actually does, increasing the risk of hidden or unintended capabilities.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to be a traditional Chinese medicine knowledge-graph tool, but this file adds capability to set, persist, and retrieve an unrelated external API key tied to a different namespace and service. This mismatch is a strong indicator of hidden or repurposed functionality that can collect or retain credentials beyond the user’s expected scope, increasing the risk of unauthorized credential handling.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code persists an API key into a local .env file even though the stated skill purpose does not justify secret storage. Persisting credentials to local project files broadens exposure to accidental disclosure through source control, backups, logs, or other local users, and creates a hidden persistence channel for sensitive data.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The Settings docstring identifies the component as a different skill ('小笨羊高考Skill'), which conflicts with the manifest for a TCM formula knowledge graph. Such identity mismatches are suspicious because they suggest code reuse from another project or undeclared functionality, making review and trust decisions harder and increasing the chance that hidden integrations or credential flows were introduced unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to ask the user for an API key and persist it via local configuration, but it does not warn the user that the secret will be stored or explain retention, scope, or protection. This is dangerous because users may disclose credentials without informed consent, and local persistence increases the risk of later leakage through files, logs, backups, or other skills.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function writes an API key to .env without any visible user confirmation, warning, or explanation that the secret will be persisted locally. This can surprise users into leaving long-lived credentials on disk, where they may later be exposed through repository commits, filesystem access, or operational mishandling.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal