ClawHub

Xby Calculator

Security checks across malware telemetry and agentic risk

Overview

This calculator skill is not clearly local: it collects and stores an API key, sends calculation inputs to a third-party API, and contains copied Gaokao-service references that make its scope unclear.

Install only if you intend to use XiaoBenYang's remote API and are comfortable storing an XBY_APIKEY in a local .env file. Avoid entering sensitive, proprietary, or regulated calculation data, and treat the copied Gaokao references as a sign that the publisher should clarify scope and credential handling before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The workflow example references an unrelated gaokao/school-search function and project path, indicating the documentation may have been copied from another skill without proper review. This kind of documentation integrity failure makes the actual behavior untrustworthy and raises the chance of misrouting user data or invoking unrelated external services.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A calculator service should not normally require collection and persistence of a third-party API key, especially when the stated functionality is ordinary math operations. This unnecessary credential collection expands the attack surface and can lead to secret theft, reuse, or coercive credential harvesting under a misleading pretext.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest presents a self-contained calculator server, but the workflow says the code only proxies requests to external APIs and returns raw remote data. This discrepancy is dangerous because users may trust the skill as local computation while it actually acts as a networked broker with different privacy, integrity, and availability risks.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements a generic remote MCP tool invocation client rather than a narrowly scoped local calculator. It accepts arbitrary tool names and parameter dictionaries, then forwards them with an API key to an upstream service, which materially expands capability beyond the stated calculator purpose and could enable unintended remote actions or data handling.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code establishes external network access and forwards requests to a remote API, including user-supplied parameters and a tool selector, which is inconsistent with a calculator skill expected to perform local computation. In a skill-context review, this mismatch is dangerous because it can conceal remote execution or proxy behavior behind an innocuous mathematical description.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is for a purported calculator skill, yet it embeds configuration for an unrelated remote '高考' service including base URL, MCP ID, and API key handling. This mismatch strongly suggests hidden secondary functionality or credentialed outbound access beyond the declared purpose, which is dangerous because users and reviewers may grant trust to a benign calculator while the code is prepared to authenticate to an unrelated service.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code implements reading, storing, and returning an API key from both .env and process environment, which is not proportionate to a local calculator service. In this context, secret persistence and retrieval capabilities increase the risk of covert credential collection, unauthorized reuse, and hidden access to an unrelated backend service.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The class docstring explicitly identifies the code as '高考Skill配置', directly contradicting the published calculator-skill description. This inconsistency is a strong indicator of repurposed or disguised code, making the surrounding credential and remote-service logic significantly more suspicious in context.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file presents itself as a local calculator utility, but every operation delegates user input to an external API via call_api. That creates an undeclared data-flow boundary and expands trust to a remote service, which is risky even for seemingly harmless math inputs because usage patterns, business data, or embedded sensitive values can be transmitted off-platform.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A math-focused skill unexpectedly includes broad external API call behavior not reflected in its stated purpose. This mismatch can mislead users and reviewers about the actual attack surface and can enable silent exfiltration of inputs to a third-party service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the model to collect and save an API key but does not warn users that the key is sensitive or that it will be persisted, likely into local configuration such as .env. Users may disclose credentials without understanding retention or exposure risks, which is especially problematic in shared or multi-tenant environments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The HTTP request sends arbitrary params together with an API key to an upstream endpoint without any indication in this file of user consent, redaction, or field-level restrictions. This creates a data exposure risk because sensitive inputs may be transmitted off-box to a third party under the guise of a calculator operation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function writes the provided API key directly into a local .env file without any user-facing disclosure, consent flow, or storage warning. Persisting secrets this way can expose credentials through source directory access, backups, logs, accidental commits, or other local users/processes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User-supplied parameters are forwarded over the network with no disclosure in this file that inputs leave the local environment. Even if the data is 'just numbers,' users may submit proprietary financial, engineering, or analytical values, creating confidentiality and compliance risks.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions direct the model to ask for a user API key and then persist it for future use. This creates a secret-handling risk because the model is encouraged to collect sensitive credentials in normal conversation flow and store them without any specified secure storage, scoping, masking, or deletion controls.

Ssd 3

Medium
Confidence
92% confidence
Finding
The response policy instructs the model to directly reorganize and display raw API data to the user. If the upstream API returns sensitive metadata, identifiers, debugging fields, or accidental secret material, this policy can expose them without filtering or least-privilege output controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal