ClawHub
Back to skill

Security audit

qwencloud-update-check

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed QwenCloud update checker that reads version metadata, checks GitHub, writes a small local state file, and prints update commands without running installs itself.

Install only if you trust QwenCloud update notices. Expect occasional GitHub version checks and a persistent .agents/state.json timestamp/preference file. Review any printed npx skills add command before running it, especially if QWEN_SKILLS_REPO or skills-lock.json has been changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not script.is_file():
                return
            try:
                proc = subprocess.run(
                    [sys.executable, str(script), "--print-response"],
                    capture_output=True, text=True, timeout=15,
                )
Confidence
86% confidence
Finding
proc = subprocess.run( [sys.executable, str(script), "--print-response"], capture_output=True, text=True, timeout=15, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no explicit permissions despite documented behavior requiring environment access, file reads/writes, network access, and shell execution. This undermines least-privilege review and can cause the skill to be invoked with broader capabilities than users or hosts expect, reducing transparency and increasing the chance of unsafe execution in agent environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The documented purpose is a narrow version check, but the analyzed behavior expands into installation detection, recommending update commands for multiple skills, and persisting prompt-suppression preferences. This mismatch is dangerous because operators may approve or auto-run the skill expecting a read-only check when it actually influences update workflows and writes persistent state, creating room for unauthorized or surprising actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description includes broad conditions such as 'any other qwen skill delegates to this skill' and generic update-related phrasing, which increases the chance of unintended activation. In an agent system, overbroad triggers can cause network calls, file writes, or update-related guidance to occur in contexts where the user did not specifically request this skill, expanding attack surface and reducing user control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal