ClawHub

Kuaipu Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the Kuaipu login and approval lookup it advertises, but it needs review because it handles business-system credentials, saves authenticated page data locally, and auto-installs dependencies at runtime.

Install only if you trust the publisher and are authorized to automate Kuaipu login, CAPTCHA solving, and approval lookup. Use a dedicated virtual environment with pinned dependencies, protect the .env file, avoid shared machines, use a low-privilege account where possible, and delete the tmp directory/artifacts after each run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script automatically installs Python packages at runtime using uv or pip, which changes the local system state and pulls executable code from external package sources without explicit user approval. In a skill intended for login and workflow automation, this expands capability beyond the declared business function and increases supply-chain and environment-tampering risk if package sources, versions, or indexes are compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script activates a virtual environment and, if dependencies are missing, installs packages into that environment or the system Python context. This gives the skill the ability to alter the execution environment in ways not strictly required for performing the advertised automation, which can lead to persistence, unintended package changes, or execution under a manipulated interpreter context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states it saves screenshots and HTML to the project directory but does not warn that these artifacts may contain sensitive information such as usernames, workflow data, cookies, CSRF tokens, or page content from an authenticated session. Persisting such data to disk increases the risk of credential leakage, session theft, or inadvertent disclosure through backups, source control, or shared directories. The context makes this more dangerous because the skill automates access to an internal approval system after login.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to place login credentials in a .env file and says it will read them automatically, but it does not warn about secure handling of those secrets. Without guidance, users may leave .env files world-readable, commit them to version control, or reuse privileged credentials unnecessarily. This is especially sensitive here because the credentials grant access to a business approval system and may expose internal workflows and personal or operational data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill reads plaintext credentials from a local .env file and immediately uses them for automated login, but it does not provide any user-facing warning, secure handling guidance, or safeguards around storage and use of those secrets. In this context, the code also prints the username and is part of a browser automation flow that can capture additional sensitive artifacts, which increases the chance of credential exposure through local compromise or operational misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill serializes authenticated session cookies to a local pickle file, persisting reusable authentication state on disk without notifying the user. Stored session cookies can often be replayed by another local process or attacker with filesystem access, effectively bypassing the need for the original credentials and enabling account/session hijacking.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill writes page HTML, screenshots, and extracted workflow/approval content to local files for debugging, which can capture highly sensitive internal business data, usernames, workflow details, and potentially session-linked content. Because this skill is specifically designed to access enterprise approval and reminder pages, the stored artifacts are especially likely to contain confidential corporate information and become a local data leakage risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal