ClawHub

App Rank Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches an app-rank monitoring purpose, but it ships live DingTalk credentials and can automatically send reports, use stored login secrets, persist browser sessions, and delete data without enough user control.

Review and replace all DingTalk and Diandian credentials before use, verify the chat/webhook destination, remove or rotate the shipped secrets, disable debug screenshot/HTML capture unless needed, and run cleanup/report sending manually first so you can confirm exactly what will be deleted or transmitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (83)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document states that the scheduled task will automatically use credentials from `config/credentials.yaml` to re-login when cookies expire. In a periodically executed automation context, this creates ongoing credential access and use without an explicit user-consent boundary, and it increases the blast radius if the host, repo, or logs are exposed.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file’s stated purpose is a ranking-data crawler, but the implementation also creates a persistent Playwright browser profile and stores authenticated session state under .browser_data/diandian. That behavior expands the data-handling scope beyond what the documentation suggests, increasing the risk of credential/session-token exposure and misleading operators about what sensitive artifacts are retained.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module presents itself as a ranking crawler, but it also performs credentialed login, navigates an authenticated account, captures screenshots, and persists session cookies to disk. That behavioral mismatch is security-relevant because operators may run it expecting low-risk scraping while it actually handles secrets and durable session material.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring claims the tool only retrieves a cookie, but the implementation also navigates authenticated pages, captures screenshots, extracts market-intelligence data, and writes reports. This mismatch can mislead reviewers and users about the true scope of sensitive actions, reducing informed consent and making abuse harder to detect.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code writes a full-page screenshot and complete HTML of an authenticated session to local files, which can capture sensitive account data, ranking data, cookies-in-page content, or other private information unrelated to the stated fetch task. In a scraping skill that logs into a third-party service, this broad debug collection materially expands data exposure and creates a local persistence trail that could be accessed by other users, processes, or later exfiltrated.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module docstring materially understates the script's behavior: beyond connecting to a browser and fetching ranking data, it can automatically read stored credentials, log into diandian, persist session cookies, and exfiltrate exported data to DingTalk. This kind of deceptive or incomplete disclosure is dangerous because operators may run the tool with an incorrect trust model and unintentionally authorize credential use and outbound data transmission.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Although the file presents itself as a ranking crawler, it also captures and stores debug artifacts from an authenticated browser session, including full-page screenshots and HTML. In this context, those artifacts can contain account data, session-visible content, or other sensitive information unrelated to the intended app-ranking output, creating unnecessary local data exposure.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The extractor signature accepts an app_type parameter and later uses it to decide whether to construct NewApp or OfflineApp objects, but the caller does not pass app_type into _extract_apps_final, so it always runs with the default 'new'. This can silently misclassify offline-monitoring results as new apps, producing incorrect downstream automation, reporting, or decisions based on the wrong dataset.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module description claims the tool only performs a Huawei-channel export workflow, but the implementation also collects all browser cookies and persists them to a config file as a reusable token. This hidden authentication-handling behavior increases the chance that operators run the script without understanding that session material will be stored locally, creating avoidable credential/session exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place usernames, passwords, client secrets, and webhook values in local YAML files without any guidance on secure storage, permissions, exclusion from version control, or secret rotation. This creates a realistic risk of credential leakage through accidental commits, overly permissive file access, backups, or shared workspaces.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advertises automatic sending of platform data to a DingTalk group but does not clearly warn that collected data is transmitted to an external messaging system. In a monitoring skill, silent or insufficiently disclosed external sharing can cause unintentional disclosure of potentially sensitive business or operational data to broader audiences.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The troubleshooting section provides a destructive `rm -rf` command against a temporary path without warning that it permanently deletes files matching the pattern. Even though the path is narrower than a root wipe, users may copy, modify, or generalize the command incorrectly, causing accidental data loss.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The README recommends killing browser processes with `pkill -f` but does not warn that this may terminate unrelated Chrome sessions or interrupt unsaved work. Because the match pattern is process-name based, the command can affect more than the intended automation instance.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The natural-language triggers are broad and underspecified, which can cause accidental invocation of actions like scraping, report sending, or cleanup without clear user confirmation boundaries. In an agent skill context, ambiguous triggers increase the risk of unintended data collection, outbound messaging, or destructive maintenance operations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation advertises automatic data cleanup and DingTalk report delivery but does not clearly warn users that the skill will modify stored data and transmit content externally on a schedule. This can lead to unintended retention changes or data exfiltration to chat systems if users enable the skill without understanding those side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to copy a Cookie containing a token into a local configuration file without sufficient handling guidance, which risks credential leakage through files, logs, backups, or accidental sharing. Because the cookie grants authenticated access to a third-party service, compromise could enable unauthorized account use or data access until expiry.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints HTML from the active browser page directly to the console, which can expose sensitive information present in the DOM such as tokens, personal data, internal app content, or confidential workflow state. Because it attaches to an already-running browser session over CDP, the page may belong to a real authenticated user context, making accidental disclosure more dangerous than in an isolated test session.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically captures and stores a full-page screenshot after loading an authenticated session. If the page contains account data, internal dashboards, or personal information, the resulting image may persist sensitive content on disk without the operator realizing the exposure. In a debugging skill, this is more dangerous because authenticated browser state is intentionally restored before capture.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently reads authentication cookie material from local configuration and injects it into the browser context, creating a logged-in session without any runtime disclosure or confirmation. This can surprise users, normalize handling of raw session tokens, and increase the chance of account misuse or unintended authenticated actions if the script is run in the wrong environment. The surrounding context makes this more sensitive because the cookies are used to access a real production site.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation describes automatic login using stored credentials but does not warn users that the scheduled workflow reads and uses account secrets. That omission is security-relevant because operators may enable the task without understanding that persistent credentials are being accessed on a recurring basis.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script functionality includes automatically sending fetched results to a DingTalk group, but the documentation does not provide a clear user warning about external transmission of collected data. In an unattended scheduled task, silent outbound sharing can expose sensitive business data, reports, or identifiers to a broader audience than intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script automatically uploads the generated Excel report to DingTalk and posts it to a group without any runtime confirmation, policy gate, or recipient validation. Because the file contents are derived from external data and may be executed in an automation context, this creates an unintended data egress channel and increases the risk of accidental disclosure to the wrong chat or audience.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill maps a natural-language request containing “清理” directly to a destructive cleanup command with --execute and no confirmation, dry-run, or scope preview. In an agent setting, ambiguous or accidental prompts can therefore trigger irreversible data deletion unexpectedly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code uploads an arbitrary local file path to DingTalk and then sends it to a configured group chat, which creates a real data-exfiltration path over the network. Even though the behavior appears intentional for a notifier utility, there is no user confirmation, recipient validation, allowlist, or sensitivity check before transmission, so misuse or accidental invocation could leak local data to external recipients.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code saves a screenshot and HTML dump after confirming an authenticated session, which can capture account details, internal dashboard data, tokens embedded in markup, or other sensitive business information. Writing these raw artifacts to predictable local files without warning, masking, access controls, or cleanup creates an unnecessary local data-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal