ClawHub

Xby Ccxt

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it mixes a calorie tracker with unrelated service labels while storing an API key locally and sending user data to an external API, so it needs review before install.

Review the publisher and backend service before installing. Only provide an API key you are comfortable storing in a local `.env` file, check whether the key can be revoked, and avoid entering sensitive health or dietary details until the gaokao/ccxt naming mismatch and API data flow are clarified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented/project capabilities imply access to environment variables, file read/write, and network operations. This mismatch prevents informed consent and review, and in this context is especially concerning because the skill explicitly collects and stores an API key, which could be mishandled by undeclared code paths.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation includes a tool-call example for an unrelated school-search function, indicating copy-paste drift or mismatched implementation guidance. This can cause the agent to invoke unintended tools or route user data to the wrong backend, which is risky here because the skill handles user dietary data and an API key.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The project structure names the package as a gaokao/high-school-exam skill, conflicting with the claimed calorie-tracking purpose. This inconsistency raises the risk that the packaged code, dependencies, or endpoints belong to a different application than advertised, reducing trust and potentially exposing user data to unintended processing.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The config class docstring identifies the code as belonging to an unrelated '小笨羊高考' skill, which conflicts with the declared calorie-tracking skill. This mismatch is a strong indicator of repurposed or hidden functionality and increases the likelihood that the component manages credentials for a different external service than users expect.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation manages credentials and endpoint settings for an external '小笨羊高考' API rather than calorie-tracking features. In the context of a calorie-tracking skill, unrelated credential management is suspicious because it can redirect secrets or traffic to an unexpected service without a legitimate business need.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill provides a built-in capability to persist an external API key to a local .env file, but this behavior is not justified by the stated calorie-tracking purpose. Persisting secrets expands their exposure window and can leak credentials through backups, source control mistakes, or local file disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function silently writes the provided API key into .env and updates the process environment without any user-facing warning, consent, or retention notice. Users of a calorie-tracking skill would not reasonably expect secret persistence for an unrelated external service, making this a meaningful trust and security issue.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
80% confidence
Finding
requests

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
77% confidence
Finding
pydantic

Known Vulnerable Dependency: pydantic-settings — 1 advisory(ies): GHSA-4xgf-cpjx-pc3j (pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_)

Low
Category
Supply Chain
Confidence
70% confidence
Finding
pydantic-settings

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal