ClawHub

派蒙.skill - 原神特化 AI 游戏伴侣

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real game-helper skill, but it needs Review because it can capture screens, send images to a cloud AI service, control mouse and keyboard input, and store secrets with weak safeguards.

Install only if you are comfortable running a local Windows game assistant that can save screenshots, inspect visible windows, send screenshots to Aliyun/DashScope for click_text, and inject mouse/keyboard actions into the game. Prefer using the DASHSCOPE_API_KEY environment variable instead of saving the key, keep other sensitive windows closed while using it, avoid background clicking unless you understand the risk, and do not install modified asset/config files unless you trust them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

eval() call detected

High
Category
Dangerous Code Execution
Content
if isinstance(expr, str):
        expr = expr.replace('width', 'base').replace('height', 'base')
        try:
            return int(eval(expr, {'base': base_value}))
        except:
            return 0
Confidence
99% confidence
Finding
return int(eval(expr, {'base': base_value}))

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents capabilities that access environment variables, read/write local files, and persist configuration, but it does not declare corresponding permissions. This creates a transparency and consent gap: users and the host agent may underestimate what the skill can access, including API keys and screenshots saved to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond a narrow 'Genshin helper' and includes enumerating system windows, arbitrary mouse/keyboard injection, local API-key handling, and sending screenshots to external multimodal services. That mismatch is dangerous because users may authorize a game-assistant skill without realizing it has broader desktop-control and data-exfiltration capabilities.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims that user game account information is not stored or transmitted, yet the skill explicitly relies on a cloud multimodal model to analyze screenshots. If screenshots include usernames, UID, email fragments, chat content, or payment/account UI, that data may be sent to an external provider, making the privacy claim inaccurate and potentially misleading.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill file defines a broad, general-purpose assistant persona with wide-ranging capabilities, which conflicts with the manifest describing a Genshin-specific Paimon companion. This scope mismatch is dangerous because it can cause the agent to accept unrelated high-privilege requests under an apparently game-focused skill, expanding behavior beyond what users and platform reviewers expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented abilities include file operations, automation, web search, and coding help that are not necessary for a game companion and substantially broaden the attack surface. In an agentic environment, these extra capabilities can be triggered by prompt manipulation or user confusion to perform sensitive actions unrelated to gameplay.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `windows` command enumerates all visible desktop window titles, which exceeds the skill's stated purpose of assisting with Genshin gameplay. Window titles can reveal sensitive user activity such as documents, chats, browser tabs, or enterprise apps, creating an information disclosure surface unrelated to the core function.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
ROI values from configuration are treated as executable expressions, turning a data file into code. Because this skill loads per-game assets and is designed to interact with screenshots and game UI, adding hidden code-execution behavior in configuration materially increases risk, especially if assets can be modified, supplied by third parties, or selected via untrusted input.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes capturing screenshots and sending them to an external multimodal AI service, but does not clearly require explicit user notice or consent regarding what may be captured and transmitted. Because the skill runs on the local machine and can inspect visible windows, screenshots may contain sensitive information beyond the game UI, creating a real privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly describes automated screenshot capture combined with cloud-based multimodal AI analysis and even names a remote API endpoint, but it does not clearly warn users that screenshots may be transmitted off-device and could contain sensitive information beyond the game window. In a tool that continuously captures and analyzes visuals, omission of privacy and data-handling disclosure can mislead users into exposing personal data, account details, chats, overlays, or other visible content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automated clicking and keyboard/game control without a clear warning that the skill can inject UI actions into a live user session. That can cause unintended in-game purchases, destructive actions, account penalties under game anti-cheat rules, or accidental interaction with the wrong foreground window if targeting fails.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation guidance uses broad natural-language triggers such as mentioning Genshin-related scenarios, which can collide with ordinary conversation and activate the skill unintentionally. In a skill that can capture screens and inject input, accidental activation materially increases privacy and system-interaction risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently advertises screenshot capture and automated clicks/keypresses but does not clearly foreground the privacy and system-impact risks of those actions. Because it operates on a live desktop window and can simulate input, insufficient warning can lead users to expose sensitive on-screen content or trigger unintended actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API-key configuration section describes enabling a cloud GUI agent but does not clearly warn that screenshots or UI contents may be transmitted to an external service for analysis. That omission is significant because users may enter credentials and use the feature without understanding that potentially sensitive screen data can leave the local machine.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation examples use generic phrases such as helping organize files or writing scripts, which overlap with ordinary assistant usage and can unintentionally activate this skill outside its intended game context. That ambiguity increases the chance of unauthorized or surprising task execution, especially when the skill already advertises broad automation powers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Advertising file management and automated task execution without warning about filesystem changes or confirmation requirements creates a real risk of unintended modification, movement, or deletion of user data. This is especially concerning in a skill marketed as a game companion, where users may not expect desktop-level actions affecting personal files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states it can continuously capture and analyze the user's game screen, including UI state, inventory, and character/resource information, but it does not disclose what data is collected, how long screenshots are retained, whether they leave the local device, or how sensitive on-screen information is protected. In a screenshot-observing agent, this omission creates a real privacy risk because game windows can expose account names, chat, IDs, payment-related UI, or other incidental personal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes continuous screenshot analysis and automated mouse/keyboard control, but the warnings are minimal and do not clearly explain privacy exposure, accidental interaction risk, or possible system/game-account consequences. In this context, the capability is more dangerous because it combines real-time observation with action execution against a live application, which can expose sensitive on-screen data or trigger unintended operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `click_text` flow captures a live game screenshot and sends it, along with user-provided text, to an external GUI agent provider without an explicit user-facing disclosure at the point of use. Screenshots may contain account identifiers, chat, or other sensitive on-screen information, so silent transmission creates a privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This file implements direct mouse-input injection through SendInput and PostMessage against arbitrary windows identified only by title, including background clicking that can interact with applications without normal user focus or confirmation. In the context of a game-assistant skill that explicitly advertises automated clicking, this creates real abuse potential if higher-level logic supplies attacker-chosen coordinates or window titles, enabling unauthorized UI actions on non-game windows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists the API key directly into a local JSON config file without any encryption, permission hardening, or user warning. On multi-user systems, backups, sync folders, or if the skill directory is exposed, this can lead to credential disclosure and unauthorized use of the upstream AI service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code transmits the user's screenshot and free-form instruction to Alibaba Cloud's remote multimodal API, which can expose sensitive on-screen content such as chats, credentials, personal data, or other applications visible in the capture. In a GUI automation/game-assistant context that continuously inspects live screenshots, the privacy risk is elevated because users may not realize all visible desktop content is being sent off-device.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function captures either a specific game window or the full desktop and writes the image to disk without any user-facing consent, notice, or runtime gating in this file. In the context of a game-assistant skill that can observe gameplay in real time, this creates a real privacy risk because fallback to full-screen capture can unintentionally collect unrelated sensitive information from the user's desktop.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal