Security audit

ClawHub 全新技能发布攻略

Security checks across malware telemetry and agentic risk

Overview

This is a publishing guide, but it exposes apparent live IMA credentials and tells users how to create, append, and read external notes with them.

Review before installing or following this guide. Do not reuse the embedded IMA credentials; assume they are exposed, rotate or revoke them if you control the account, and replace them with your own scoped credentials stored outside the published skill. Treat any IMA import, append, or read command as sending or retrieving persistent external content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This section embeds what appear to be live IMA credentials directly in a public-facing skill guide, despite earlier instructions warning against including real API keys in published packages. Anyone who can read the document could reuse the credentials to access or modify IMA content, and the contradiction increases the likelihood that users will copy the secret into other distributed artifacts.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The guide not only contains embedded credentials but also provides ready-to-run API calls that transmit note content to an external IMA service without any warning about data exfiltration, trust boundaries, or credential hygiene. In the context of an agent skill, this is especially risky because operators may follow the instructions verbatim and unintentionally send sensitive internal content to a third-party endpoint using compromised shared credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: SKILL.md:206