ClawHub

GuruTalk 大师云

Security checks across malware telemetry and agentic risk

Overview

GuruTalk is a coherent persona-management skill, but it copies API-key files into generated skills and can write or delete agent skill directories with weak path containment.

Review before installing. Use only trusted slugs, avoid sharing or syncing generated persona skill folders because they may contain copied API keys, rotate the Bibliotalk key if any generated folder is exposed, and prefer a version that validates paths, removes `--base-dir` escape risk, avoids copying `.env`, and confirms deletions before running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares significant capabilities—environment access, file reads/writes, and network use—yet does not explicitly declare permissions or constrain those operations. That creates a transparency and review gap: users may invoke a skill that can read secrets, modify local skill directories, and contact remote services without clear up-front disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as a local persona-directory manager, but the body authorizes additional sensitive behaviors: sending login requests, fetching remote content, copying API-key-bearing configuration into generated skills, deleting local directories, and managing rollbacks/snapshots. This mismatch undermines informed consent and increases the chance a user triggers destructive or secret-propagating actions they did not reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script performs outbound network requests to Bibliotalk APIs and a web login endpoint, but the declared skill purpose emphasizes local persona directory management and chat routing. This mismatch expands the trust boundary and can expose user data, metadata, or credentials to an external service without clear disclosure, making the behavior security-relevant even if it appears product-intended.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The magic-link function triggers authentication-related network activity that is not justified by the stated local-management/chat-routing scope. Authentication flows involve sensitive identifiers like email addresses and can be abused for account enumeration, phishing-style confusion, or unexpected external account linkage if users are not clearly informed.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The tool copies the parent skill's `.env` file into every generated persona skill directory, duplicating API keys and any other secrets across many locations. This expands the secret exposure surface: any later disclosure, packaging, syncing, or accidental sharing of a generated skill can leak credentials that were originally stored in a single controlled location.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script is advertised as managing local GuruTalk persona directories, but it can operate on global skill roots for multiple agents (Claude, Codex, OpenClaw). That broadens its write/delete/rollback scope beyond the stated purpose, so a user or calling workflow could snapshot, overwrite, or prune unrelated skills in shared agent directories.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
By accepting an agent selector and optional base directory, the code can modify other agents' skill directories without any authorization, ownership, or scope checks. In this skill context, that is more dangerous because skill directories typically influence agent behavior, so rollback or cleanup against the wrong target can tamper with prompts/configuration for unrelated agents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to complete API-key setup and credential writing during initialization, but it does not explain where secrets are stored, how they are protected, or what security precautions users should take. In an agent skill context, unclear credential handling can lead to accidental exposure through chat logs, plaintext files, synced directories, or over-broad permissions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes a command to remove local guru directories but provides no built-in warning, confirmation, or recovery guidance at the point of deletion. In a skill that manages files under user home directories, silent deletion can cause accidental data loss, especially if local modifications or profiles are stored there.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This behavior silently duplicates sensitive configuration into each generated skill directory without warning or consent, making credential spread easy to miss. In this skill ecosystem, generated skill folders are likely to be browsed, copied, versioned, or shared, so silent propagation materially increases the chance of credential leakage.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal