ClawHub

火山引擎豆包语音播客

Security checks across malware telemetry and agentic risk

Overview

This podcast-generation skill mostly matches its purpose, but one helper script quietly stages generated audio for a QQ bot path and uses local credentials in ways users should review first.

Install only if you are comfortable sending podcast text to Volcano Engine/ByteDance and using Volcano credentials on this machine. Prefer environment variables or a protected config over command-line tokens, avoid sensitive prompts, and review or modify scripts/kamei_podcast.py before use if you do not want generated audio staged for QQ bot delivery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation indicates capabilities to read environment variables and write files, but it does not declare permissions accordingly. Undeclared access to secrets and filesystem locations reduces transparency and can lead users to run a skill with broader access than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is podcast generation, but the analyzed behavior also includes reading local config credentials, copying audio into a fixed QQ bot download path, and emitting QQ-specific markup. This hidden behavior expands the trust boundary, may exfiltrate or misuse local secrets, and can cause unintended integration with another application context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation recommends CLI use with credentials but does not warn that tokens passed as command-line arguments may be exposed through shell history, job logs, and process listings. In a multi-user or monitored environment, this can leak API credentials to other users or tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-provided text to an external podcast-generation service using credentials loaded from local config or environment, but there is no user-facing disclosure or consent mechanism for that external data transfer. In an agent setting, this can cause unintended leakage of sensitive prompts or personal data to a third-party service, especially if users assume processing is local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal