ClawHub

Kids Points

Security checks across malware telemetry and agentic risk

Overview

This kids points tracker is mostly related to its stated purpose, but it needs Review because it sends child-related text to third-party services and includes hardcoded credentials, fixed Feishu destinations, and unsafe shell execution paths.

Install only after reviewing and preferably patching the external processing and messaging paths. Remove and rotate the embedded MiniMax key, require explicit configuration for MiniMax and Feishu, disable or fix shell-based TTS/ASR execution, and protect or purge local logs and reports because they may contain children’s activity details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (42)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill metadata declares only an environment requirement, while the documented and reported behavior indicates network-capable functionality and external API usage. Undeclared capabilities reduce transparency and can bypass user/admin expectations about what the skill is allowed to do, especially when handling children's activity data and logs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is a simple points-tracking assistant, but the reported behavior includes external API calls, voice processing, image archival, report generation, Feishu messaging, cron-driven automation, and even a built-in default API key. This mismatch is dangerous because users may expose children's data to third parties or trigger background actions they did not knowingly consent to.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented cron workflow adds outbound group messaging to a Feishu chat, which is a capability not disclosed in the skill's stated scope. Undisclosed external communication increases the risk of surprise data exfiltration, unauthorized notifications, or misuse of the agent in a broader operational context than users expect.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The message flow shows the skill ultimately sends content to a Feishu group, but that behavior is absent from the manifest description. In a skill handling children's points data, hidden outbound delivery is more sensitive because it can expose behavioral or personal information to a chat group without clear disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill sends user message text to an external MiniMax LLM for parsing expenses and income, but the metadata/description only describes local bookkeeping behavior. For a children's points assistant, this hidden network transmission changes the trust boundary and can expose potentially sensitive child-related activity text to a third party without informed consent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill invokes an external Python ASR script via a subprocess to process audio attachments, but this capability is not disclosed in the description. Hidden subprocess execution increases operational risk and may process user audio in ways the user or platform operator did not expect.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded fallback API key is embedded directly in source code for outbound MiniMax requests. Embedded secrets are easily leaked through source distribution, logs, backups, or repository access, enabling unauthorized use of the external account and making it impossible to meaningfully rotate or scope per deployment.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The skill executes a shell command to process an audio attachment using a Python script, a privileged capability not justified by the manifest description. Even though the attachment path is quoted, introducing shell execution for user-supplied attachment handling expands the attack surface and can lead to command injection, path abuse, or unsafe execution chains if upstream assumptions break.

Intent-Code Divergence

High
Confidence
82% confidence
Finding
The header claims the script is effectively read-only with respect to data, but the implementation writes report files under the workspace and a message file in /tmp. That mismatch is dangerous because operators may grant broader trust or fewer controls based on the comment, and writing to predictable locations can create data leakage or tampering opportunities in shared environments.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script transmits generated content to an external Feishu group via a hard-coded chat ID, but the skill description only mentions points management and cross-session consistency, not outbound messaging to third parties. This creates an undisclosed data egress path that could leak children's activity or score information to recipients the user did not explicitly authorize.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A hard-coded Feishu destination embeds a fixed external recipient into the skill, which is not obviously required for core bookkeeping functionality. In the context of a children's points system, this increases the risk of persistent unauthorized disclosure, because all generated reports are routed to the same external group regardless of tenant, user, or consent state.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script contains a hard-coded Feishu chat ID and prepares message delivery to that external destination without any visible authorization, configuration boundary, or recipient validation. In a skill described as a children's points assistant, undisclosed outbound messaging increases the risk of data leakage to an unintended group, especially if the generated report contains children's activity or behavioral data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module builds a shell command from runtime-controlled text and voice values and executes it via execSync, invoking an external Python TTS process. Escaping only double quotes is insufficient for shell safety, so crafted input containing shell metacharacters can trigger command injection; additionally, the external-process capability expands the skill's attack surface beyond simple points management.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The changelog states that voice playback is enabled by default after each points record, but it does not mention consent, environmental privacy risks, or how to disable disclosure in shared spaces. In a child-focused skill, automatic spoken output can expose behavior, balances, or routines to bystanders and create avoidable privacy leakage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog advertises input audit logging but gives no indication of what data is retained, for how long, or whether sensitive child-related inputs are minimized or protected. Logging free-form user input can capture personal, behavioral, or family information, which increases privacy and compliance risk if stored unnecessarily or accessed improperly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes automatic file writes and scheduled outbound group messaging without any user-facing warning or consent mechanism. Silent persistence to /tmp and automatic transmission are dangerous because they can expose sensitive data, especially in a child-focused points-management context where operators may not realize reports are being stored and broadcast.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README explicitly says users can 'directly say' what they completed without a fixed format, which makes the trigger surface overlap with ordinary conversation. In an agent setting, overly broad natural-language activation can cause unintended record creation or point changes from casual text that was not meant as a command.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The documentation states the system understands common phrases like 'completed', 'did', and 'wrote', which are highly likely to appear in normal conversation. That increases the chance of accidental triggering and unauthorized or unintended state changes, especially because the skill persists results across sessions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README says user input is written to audit logs and balance files for persistence and deduplication, but it does not clearly warn users that their text will be stored on disk. This creates a privacy and transparency issue because users, especially in a child-focused skill, may disclose sensitive personal or behavioral information without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The voice feature description says audio can be sent for automatic recognition using an external API, but it does not disclose external transmission, third-party processing, or privacy implications. Because this skill is for children, undisclosed transfer of voice data materially raises consent, privacy, and compliance risks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly says the skill will automatically write to balance.md and input.log, but provides no notice, consent flow, or limitation on what gets persisted. In a children-focused points-management skill, silent state changes and background logging increase privacy and integrity risk because user content may be stored unexpectedly and balances may be modified without clear confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Stating that every input is recorded for audit tracing indicates comprehensive logging of user-provided content without warning about privacy impact, sensitive-data capture, or retention controls. Because this skill appears to process natural-language inputs in a child-related context, indiscriminate logging can accumulate sensitive family or child behavioral data over time.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that every input is recorded in an audit log but does not warn users that free-form inputs may contain sensitive personal or family information. In a children's points-tracking context, routine logging can accumulate behavioral, educational, and household data that could later be exposed or misused.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage guide advertises very broad natural-language understanding, including mapping short everyday phrases directly to actions such as point spending. In a voice- or chat-driven system, this can cause unintended activation or misclassification, leading to unauthorized or accidental balance changes, especially for child users and in noisy or ambiguous contexts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document states that the system will automatically record points and update balances, but it does not clearly warn users that their inputs are being logged and persistent data files are modified. This reduces informed consent and increases the chance of silent or unexpected state changes, which is particularly concerning in a cross-session bookkeeping tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal