ClawHub
Back to skill

Security audit

智合法律研究

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real legal-research connector, but it handles tokens, phone numbers, legal history, and report archives in ways users should review carefully before installing.

Install only if you are comfortable giving this skill your Zhihe account phone number, OTP, legal questions, and legal research history access. Avoid highly confidential matters unless you accept that tokens, phone numbers, queries, results, and downloaded reports may be stored locally; avoid token-manager export, use logout/clear functions, and delete local archives when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to execute multiple shell scripts (`./scripts/auth.sh`, `./scripts/research.sh`, `./scripts/monitor.sh`) but does not declare any corresponding permissions or trust boundaries. This creates a capability mismatch: an operator may believe the skill is documentation-only, while it actually drives command execution that can handle credentials, network access, file writes, and background tasks.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script treats `assets/.env` as passive configuration storage, but `source "$ENV_FILE"` executes its contents as shell code. If that file is modified by another local process, a malicious package update, or a compromised skill asset, arbitrary commands will run whenever authentication state is checked or config is shown.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script intentionally provides a command that prints the full credential to stdout, which can expose the token through terminal history, logs, process capture, shell piping, or higher-level agent tool output. In an agent skill context, this is more dangerous because other components may automatically capture and surface stdout, turning a local secret-management helper into a credential disclosure primitive.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The `show` operation appears to only read and mask a token, but it actually executes the contents of the config file via `source`. If an attacker can modify that file, running `show` triggers arbitrary shell command execution under the user's privileges, which is much more dangerous than the user-facing description suggests.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The `export` command is documented as exporting a token, but it first `source`s the config file, which means invoking it can execute arbitrary shell code stored in that file. This combines code execution risk with direct credential disclosure, making it particularly unsafe in automation or agent environments.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The migration feature claims to read a token from an old location, but it actually executes the entire legacy `.env` file with `source`. If the old file is attacker-controlled or previously poisoned, running `migrate` causes arbitrary command execution and then persists the extracted token into the new location.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog explicitly states that users' phone numbers are persistently stored after login so re-authentication can occur with only a verification code. In a legal-research skill, phone numbers are personal data tied to account access, so undocumented retention increases privacy risk and can expand the blast radius if local assets, logs, or config files are exposed.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The result-query trigger phrases are overly broad (e.g. generic expressions like '查看结果' or '结果出来了吗'), which can overlap with normal conversation and cause the agent to query task history/status unintentionally. In this skill, that can expose prior legal research metadata or retrieve/notify on the wrong task, especially because it may fall back to fetching the most recent task when no task ID is provided.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example flow retrieves and displays a user's prior legal research history without any confirmation, privacy notice, or step to verify that the user wants potentially sensitive matters surfaced in the current conversation. Legal research topics can reveal employment disputes, family matters, litigation strategy, or other confidential interests, so exposing history by default creates a meaningful privacy risk, especially in shared-device or delegated-use contexts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists both the JWT token and phone number to disk in `assets/.env` without explicit disclosure at the time of login. Although file permissions are tightened, writing long-lived credentials into the skill directory increases exposure to local compromise, accidental inclusion in backups, packaging, or later unsafe parsing via `source`.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The archive function writes user queries, research results, and downloaded reports to persistent local storage under archive/ without any confirmation, warning, retention control, or sensitivity check. In a legal-research skill, this can expose confidential client matters, personal data, or privileged work product to other local users, backups, or later unintended access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Printing a sensitive token to stdout without an explicit disclosure warning creates an easy path for accidental secret leakage into logs, transcripts, shell history, or agent output capture. Because this skill is for legal research rather than secret administration, the presence of a raw secret-dumping command is less justified and increases operational risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal