ClawHub

劳动法费用计算器

Security checks across malware telemetry and agentic risk

Overview

This labor-law calculator is mostly coherent, but it gives its scripts broad local file read/write power and sends API credentials with persistent session metadata in ways users should review before installing.

Install only if you are comfortable with local Python scripts that can read JSON payload files, write Excel files to caller-specified paths, cache policy data, and contact delilegal policy APIs using an API key. Use a dedicated sandbox/workspace, avoid passing absolute paths or sensitive @ files, keep config.json secrets protected, and do not set API URL override environment variables unless you trust the endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code accepts a caller-controlled output_path, converts it to a Path, and writes a ZIP/XLSX file there after only making relative paths base-directory-relative. Because absolute paths are allowed and there is no allowlist, canonicalization check, or confirmation step, a caller can overwrite arbitrary writable files on the host, which is especially risky in an agent environment where tool inputs may be influenced by untrusted users.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code accepts a user-controlled output_path, converts it to a Path, and writes an XLSX file there without constraining the destination to a safe directory. An attacker who can influence payloads can overwrite or plant files anywhere writable by the process, which is especially dangerous in an agent setting where the tool may run with access to sensitive workspace files or host-mounted paths.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill includes file-export functionality that writes XLSX files to disk, which exceeds the stated role of a labor-fee calculation routing/calculation skill. Even if intended as a convenience feature, adding filesystem side effects broadens the attack surface and can enable unauthorized local file creation in environments where the agent has broader filesystem access.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The @-prefixed input handling allows the caller to make the program read arbitrary local files and parse them as input. In an agent or tool-execution context, this creates an unintended local file read primitive that is unrelated to annual-leave calculations and could expose sensitive files if an attacker can influence arguments.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The output_path parameter is converted directly into a filesystem path and may be absolute or relative, allowing writes to arbitrary locations accessible to the process. In a skill context, this is a strong capability escalation: a user asking for a legal fee calculation should not gain arbitrary file-write behavior, which can overwrite files, plant artifacts, or interfere with the host environment.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`export_output_path` accepts a user-controlled `output_path` and converts it directly into a filesystem `Path`, allowing absolute paths and traversal outside the skill directory. `write_xlsx` then creates parent directories and writes attacker-controlled content there, which can overwrite application files, drop artifacts in sensitive locations, or enable persistence depending on the runtime permissions.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file is entirely authored in Chinese and appears intended to drive the skill's response behavior toward Chinese without any visible user-language negotiation. In an agent skill, hard-coding a language can override user preference or broader system behavior, causing confusing output, reduced accessibility, and incorrect handling of multilingual users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Excel export operation performs a filesystem write to a path influenced by the caller without any user-facing warning, consent, or safety boundary. Even if the caller cannot target sensitive system paths, silent file creation/overwrite can still cause data loss, confusion, or abuse of the agent as a file-writing primitive.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The code generates a persistent session identifier and writes it to a local .session file without setting restrictive permissions, expiration, or any notice/consent mechanism. While this is not a direct remote code execution issue, a stable identifier can enable local tracking, unintended correlation of user activity across runs, and possible leakage to other local users or processes in shared environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export function performs file writes immediately based on untrusted input and provides no confirmation, warning, or higher-level guardrail before persisting data. In an agent context, silent writes increase the chance of unintended file creation or tampering because a natural-language prompt could indirectly cause filesystem changes the user did not explicitly approve.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code generates a persistent session identifier and reads skill name/version from SKILL.md, then attaches them to every outbound API request. Even if intended for telemetry or routing, this leaks stable metadata to a remote service without any consent, minimization, or local opt-out in this file, enabling request correlation and user/session tracking.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script reads a local API key from config.json and automatically transmits it in the Authorization header to a URL that can be overridden via the OVERTIME_POLICY_API_URL environment variable. This creates a credential exfiltration risk if the environment is tampered with or if operators are unaware that running the skill sends secrets to a remote endpoint.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code performs a persistent side effect—writing a user-controlled file—without any built-in confirmation, warning, or disclosure mechanism. In an agent setting this increases the risk of surprising or covert file creation, especially because the skill's described purpose is calculation rather than file management.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export feature writes a file to a user-supplied path without any explicit disclosure, confirmation, or guardrails. In an agent context, hidden side effects on the local filesystem are risky because a prompt or tool caller may trigger writes the user did not meaningfully authorize, compounding the arbitrary-path issue and reducing transparency around system changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal