ClawHub

案件评估报告(得理科技)

Security checks across malware telemetry and agentic risk

Overview

This legal intake skill is mostly purpose-aligned, but it sends sensitive legal queries and an API key to a third-party service while disabling normal HTTPS verification.

Review before installing or using with real client matters. Use only redacted, non-confidential facts unless you control the API account and accept the third-party data flow. The TLS-disabling code should be fixed before sending real credentials or legal matter details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read local reference files and a local config.json for an API key, and to invoke external API-backed scripts, yet it declares no permissions. That creates an authorization/transparency gap: a user or platform may believe the skill is purely prompt-based while it actually performs file access and network retrieval, which can expose secrets or transmit sensitive case facts to third parties without explicit permission gating.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The real security issue in this area is not the docstring wording but that the script later disables TLS certificate and hostname verification before sending API credentials and potentially sensitive case facts to a third-party service. In a litigation-intake context, those queries may contain confidential client information, so a man-in-the-middle attacker could intercept or tamper with requests and responses.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script claims to call an HTTPS legal API, but later explicitly disables certificate and hostname verification for the outbound request. This enables man-in-the-middle interception or redirection of API traffic, exposing the bearer API key and allowing attackers to tamper with returned legal materials used in litigation assessment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code adds an unnecessary capability to bypass TLS validation in a script whose purpose is only to retrieve legal reference data. In this context, that violates least privilege and allows attackers on the network path to impersonate the API, steal the Authorization bearer token, and inject false or manipulated law search results into legal workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly recommends using long-text case search when users provide complete case materials, but it does not warn against sending sensitive personal, commercial, or litigation data directly into the search tool. In a litigation-intake context, full case materials commonly contain highly confidential facts, identities, evidence details, and privileged strategy information, so this omission creates a real privacy and confidentiality leakage risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script transmits user-supplied case descriptions and an API bearer token to an external legal platform without a clear user-facing warning or consent step. In this skill's context, queries may include privileged, personally identifiable, or commercially sensitive dispute information, making undisclosed external transmission a significant confidentiality and compliance risk; the disabled TLS verification further increases exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
Outbound API requests are made with TLS certificate and hostname verification disabled and there is no warning to operators that transport authenticity is not being checked. This is especially risky here because the script handles a bearer credential and returns legal authorities that may influence case intake, so silent tampering could produce confidentiality and integrity failures.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal