ClawHub

qwencloud-ops-auth

Security checks across malware telemetry and agentic risk

Overview

This authentication skill mostly fits its purpose, but it also includes unrelated update and installation flows that can change local skill state.

Review before installing. The credential-handling guidance is generally reasonable, but only allow .env edits, diagnostic output, agent-config registration, update checks, npx skill installation, or reminder-state changes when you intentionally want those local changes. Keep real API and OSS secrets out of chat and out of version control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is nominally limited to authentication setup, but it includes mandatory post-execution logic to discover, run, and potentially install a separate update-check skill. This expands behavior beyond the declared scope and can cause the agent to perform unrelated actions and preference management that the user did not request as part of auth configuration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to run an external package installation command (`npx skills add ...`) from within an authentication-only workflow. That creates a supply-chain and scope-creep risk because a user seeking credential help could trigger installation of additional code unrelated to the requested auth task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to append to `.env` automatically, which modifies project files without an explicit user-facing warning or confirmation about local file changes. Even though it uses a placeholder rather than the real secret, silent edits to configuration files can affect application behavior and violate user expectations.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill mandates saving diagnostic and verification output to disk without first obtaining consent or clearly warning the user that local files and directories will be created. While lower risk than code execution, this still causes unannounced state changes and may persist sensitive diagnostic metadata.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger keywords listed for this skill are broad enough to match common support conversations about API usage, authentication, regions, and 401 errors. In an agent ecosystem that auto-selects skills based on keyword matching, this can cause unintended invocation of a file-modifying authentication skill, increasing the chance of unnecessary config edits or exposure to sensitive auth-handling flows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal