ClawHub

User Research (Cookiy AI)

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its user-research purpose, but it asks an agent to handle Cookiy access tokens and can perform paid external research operations, so it needs review before installation.

Install only if you intend to let an agent operate a Cookiy account for research workflows. Prefer allowing only the Cookiy API domain, avoid pasting raw access tokens or unredacted participant data into chat, and require explicit confirmation before any paid recruitment, checkout, report generation, or admin-link action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises only research-assistant behavior, but static analysis detected shell-capable behavior without declared permissions. Undeclared execution capability reduces transparency and can enable command execution paths that users and reviewers do not expect, especially when combined with external references and CLI-oriented workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is user research assistance, but the referenced behavior reportedly includes token storage, billing operations, admin-login link generation, uploads, and general CLI functions outside that scope. This mismatch is dangerous because users may invoke the skill expecting research help while unknowingly exposing credentials, triggering financial actions, or accessing privileged platform features.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script exposes billing and wallet-management commands even though the skill is described as a user-research assistant. This expands the capability surface from research operations into financial actions, increasing the risk that an agent or user invoking the skill could perform unintended monetary operations outside the declared scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The CLI can generate an auto-login URL into the LimeSurvey admin UI, which is broader than the manifest’s stated research-assistant role. Even if intended for survey administration, one-time admin-login links materially increase privilege and create an avenue for unintended access to back-office functionality beyond normal research workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to enable network egress broadly and discusses recruitment and external study execution, but it does not warn that interview content, survey responses, or participant metadata may be transmitted to a third-party service. In a user-research skill, this omission is risky because the data commonly includes sensitive personal information, opinions, and transcripts, so users may unknowingly expose regulated or confidential data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises transcript synthesis, AI-moderated interviews, and surveys with real or synthetic participants, but it does not disclose that raw transcripts and study data may contain sensitive personal, customer, or proprietary information handled by an external service. Because this skill is specifically designed to process human-subject research data, the missing disclosure materially increases the chance of unsafe sharing and noncompliant use.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation text is extremely broad and can capture many generic customer, survey, interview, or discovery requests. Overbroad triggering increases the chance the skill is invoked in contexts where users did not intend Cookiy-related execution or external platform usage, which can lead to unnecessary data sharing or unintended operational actions.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The catch-all routing path handles 'Other' requests without defining boundaries for when the skill should decline or hand off. In practice, ambiguous fallback logic can overextend the skill into adjacent tasks and increase the likelihood of inappropriate prompting toward external services or unnecessary collection of research data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs fetching external content from cookiy.ai without disclosing the network call or its privacy implications. This is risky because it can send metadata or context to a third party and import untrusted remote instructions into the agent flow, expanding both data-exposure and prompt-injection risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to include non-public background knowledge in the study creation prompt without any minimization, consent, or data-handling safeguards. In a user research workflow, that can lead to unnecessary disclosure of internal confidential information, customer data, or other sensitive context to a third-party backend and downstream artifacts such as guides, reports, and transcripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that arrays are fully replaced during patch updates, but it does not prominently warn that sending a partial array will delete omitted entries. In a study-guide editing workflow, this can cause accidental loss of interview questions, follow-ups, or media references if an agent or user constructs a patch incorrectly. Because the skill is designed to automate guide updates, this behavior is more dangerous in context: consumers may reasonably expect merge semantics and unintentionally destroy existing content.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ask the user to paste an access token into the chat and then store it for later use. This exposes a bearer credential through a conversational channel and encourages persistent handling of sensitive secrets without warning, increasing the risk of token theft, logging exposure, replay, and unauthorized account access.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger text is broad enough to activate on generic requests about talking to users, customers, or getting research help, which can cause overbroad routing and unintended invocation of this skill. While this is not a direct code-execution or data-exfiltration flaw, it can lead to incorrect agent behavior, reduced reliability, and possible disclosure of unnecessary research workflows or prompts in contexts where the user did not intend to invoke this capability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The phase explicitly instructs the agent to persist verbatim participant excerpts into output files, which can include personally identifiable, confidential, or otherwise sensitive research data. In a user-research skill, this increases the chance of unnecessary data retention and downstream exposure because quotes are copied into multiple artifacts without any minimization, redaction, or consent/handling guidance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to create, append to, and overwrite many files under `analysis/` across multiple phases without first requiring explicit user consent or warning that workspace files will be modified. In an agent environment with write access, this can unexpectedly alter the user's repository, clobber prior analysis outputs, or consume significant disk/workspace resources through autonomous multi-agent execution.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions tell the agent to solicit a user's access token in plain language, save it, and automatically retry the original command. That creates a direct credential collection pattern and normalizes secret sharing with the agent, which is dangerous because chat transcripts, tool logs, or downstream systems may retain the token and enable account compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal