ClawHub

扣子Coze CLI工具

Security checks across malware telemetry and agentic risk

Overview

This Coze CLI helper is coherent, but it gives an agent broad authenticated command patterns that can change remote projects or send local data without clear safety gates.

Install only if you intentionally want an agent to operate Coze CLI. Use a least-privileged Coze account and non-production workspace where possible, verify the @coze/cli package source/version, and require explicit approval before deploy, delete, env set/delete, domain/skill changes, uploads, or sending local files/logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase definition is excessively broad because it activates on generic mentions like "coze" or any coze command execution, which can cause the skill to run in contexts where the user did not clearly intend terminal actions. In an agent environment, overbroad activation increases the chance of unintended command execution, especially since this skill can modify org/space selection, deploy projects, and send data to remote services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents deployment and environment-variable mutation commands without warning that these operations can change production state, overwrite configuration, or expose secrets through terminal history and logs. In a skill designed for agent-driven execution, omission of these safeguards makes accidental destructive actions and secret mishandling more likely.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is broad enough to activate on generic mentions of Coze, not just explicit requests to use the CLI. This can cause the skill to engage in terminal-based actions in contexts where the user did not intend command execution, increasing the risk of unintended remote operations or data disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These examples normalize sending local files and piped logs to a remote Coze project without any warning that the contents leave the local environment. In an agent setting, this can lead to accidental exfiltration of source code, logs, tokens, personal data, or internal error details to an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The environment variable management section shows setting and deleting API keys without caution about secret handling, visibility, or the destructive effect of deleting configuration. This may cause agents or users to expose secrets in shell history/output or remove critical variables from the wrong environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file upload command is presented without any notice that a local file will be transmitted to a remote service. This creates a direct path for accidental disclosure of proprietary documents, personal data, or regulated information when invoked by an agent or unsuspecting user.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The command `coze file upload <path>` transmits local file contents to a remote service, but the documentation provides no warning about data sensitivity, confidentiality, or access control. In an agent skill context, concise command references can be copied directly into execution flows, increasing the chance that users upload secrets, proprietary files, or personal data without realizing the exposure boundary.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented `--verbose`, `--debug`, and `--log-file` options can cause sensitive operational details, tokens, request payloads, file paths, or user content to be written to console or disk, yet the reference provides no caution. In a CLI automation skill, users may enable debugging during incident response or CI/CD runs, where logs are often persisted or shared, creating a realistic path to inadvertent credential and data leakage.

Exfiltration Commands

High
Category
Prompt Injection
Content
**Supported types**: `agent`, `workflow`, `app`, `skill`, `web`, `miniprogram`, `assistant`

### Send Message to Project

```bash
coze code message send "修复登录页面的样式问题" -p <project_id>
Confidence
72% confidence
Finding
Send Message to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal