ClawHub

Xby Math

Security checks across malware telemetry and agentic risk

Overview

This math skill needs review because it sends calculations and an API key to a third-party service, stores the key in a local .env file, and contains confusing stale documentation.

Install only if you are comfortable sending math expressions, arrays, and any financial-style inputs to xiaobenyang's hosted API and storing the XBY API key in a local .env file. Treat this as a remote service wrapper, not a local calculator, and review or fix the stale documentation, credential storage, dependency pinning, and runtime syntax issues before trusting it in a shared or sensitive workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill presents itself as a local math computation service but mandates collection of an external API key and remote API usage. That discrepancy is security-relevant because users may disclose credentials or sensitive inputs under the assumption that calculations are local, while the skill actually sends data to a third party.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The workflow claims the code only acts as a thin API-calling layer, but the tool descriptions advertise substantial local computation via SymPy, NumPy, SciPy, and Polars. This inconsistency undermines security review and provenance analysis because reviewers cannot tell whether data is processed locally or remotely, nor what code paths actually execute.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The project structure references a gaokao-school skill codebase and generic raw API handling despite branding itself as a math computation skill. This strongly suggests copy-pasted or repurposed documentation, which raises the risk that the skill may route user inputs and API keys to an unrelated backend or execute unintended functionality.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements a generic outbound MCP/HTTP invocation wrapper rather than a narrowly scoped local math engine. Because `tool_name`, `mcp_id`, and `params` are caller-controlled and forwarded upstream with minimal restriction, the skill can be repurposed as a general remote capability proxy that exceeds the declared math-only scope, increasing the attack surface and enabling unintended external actions depending on the upstream service.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The API exposes arbitrary `tool_name` and `mcp_id` inputs and places them directly into request headers, giving callers broad access to whichever upstream tools are reachable with the stored API key. In a skill presented as a math service, this mismatch is dangerous because an agent or user may trust it with benign inputs while it can actually invoke unrelated remote functions, potentially causing data access, side effects, or policy bypass through the upstream MCP platform.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file exposes many tools that appear to perform local math operations, but each one forwards user-supplied inputs to an external API via call_api. This creates a real trust-boundary and data-disclosure issue because users or upstream agents may assume calculations stay local while potentially sensitive expressions, variables, financial inputs, or datasets are transmitted to a remote service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function persists the API key directly into a local .env file without any user confirmation, warning, or file-permission safeguards. This increases the chance of accidental credential exposure through source control, backups, shared workspaces, or overly permissive filesystem access.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
requests

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
85% confidence
Finding
pydantic

Known Vulnerable Dependency: pydantic-settings — 1 advisory(ies): GHSA-4xgf-cpjx-pc3j (pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_)

Low
Category
Supply Chain
Confidence
76% confidence
Finding
pydantic-settings

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
72% confidence
Finding
python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal