Back to skill

Security audit

sexy-claw

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed recommendation/search helper, but it asks users to store live social-media cookies and includes unsafe shell execution paths that could run unintended local commands.

Review carefully before installing. Only use this in an isolated environment if you understand the risk of copying browser cookies, and do not provide active account cookies unless you are comfortable with any local code that can read the skill files using those sessions. The shell-based search scripts should be fixed before normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def search_xhs(keyword, num=10):
    """使用 xhs-cli 搜索"""
    cmd = f'source ~/.agent-reach-venv/bin/activate && xhs search "{keyword}" --sort popular --json'
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    try:
        data = json.loads(result.stdout)
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def search_youtube(keyword, num=5):
    """搜索 YouTube 视频"""
    cmd = f'yt-dlp --dump-json "ytsearch{num}:{keyword}"'
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    results = []
    for line in result.stdout.strip().split('\n'):
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill instructs the host to open external video links directly via shell/open, which extends beyond simple recommendation into active execution on the user system. This can expose users to untrusted content automatically and creates a pivot for abuse if links are manipulated or if invocation happens unexpectedly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill solicits and stores live platform authentication cookies in local files to perform searches. Cookies such as session tokens and CSRF-related values are sensitive credentials; retaining them for a recommendation workflow is disproportionate and creates account-takeover, impersonation, and privacy risks if the files are exposed or misused.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The manifest claims the skill will automatically obtain user cookies, while the body actually directs manual extraction from browser developer tools. This inconsistency is a red flag because it normalizes unsafe credential harvesting language and undermines informed consent about how highly sensitive authentication material is handled.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script loads persisted Bilibili cookies from a local file and reuses them for outbound requests, which can silently turn a simple search tool into an authenticated data access mechanism. In the context of this skill, whose metadata explicitly mentions automatically obtaining cookies and learning user preferences, this behavior materially increases privacy and account-abuse risk because the user's session tokens may be used without clear consent or scope limitation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads persisted Douyin cookies from disk and uses them as authentication material for searches, even though simple content search does not inherently require silent credential reuse. In the broader skill context, the stated behavior of automatically obtaining cookies and learning user preferences makes this credential handling especially dangerous because it enables account-bound actions and tracking without meaningful consent or disclosure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
For a simple search helper, spawning a shell is unnecessary and materially expands the attack surface beyond the stated purpose. In the context of a recommendation skill that processes user prompts, this design choice makes user input capable of reaching the system shell rather than only the intended search utility.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad and likely to overlap with normal conversation, increasing the chance of unintended invocation. In this skill, accidental activation is more dangerous because the workflow includes sensitive data solicitation, local retention, and external browsing actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill asks users to collect and store cookies without clearly warning that these values are authentication credentials that can grant account access. That omission materially increases risk because users may disclose session tokens without understanding takeover, impersonation, and cross-device login consequences.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code sends locally stored Bilibili cookies in HTTP requests to a remote service without any user-facing notice, confirmation, or indication that authenticated state is being transmitted. Because the skill description centers on auto-acquiring cookies and profiling preferences, the lack of disclosure and consent makes this especially dangerous as it can expose session-linked behavior, personalization data, and potentially privileged account access beyond what a user expects from a search feature.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits authenticated requests to Douyin using stored cookies without notifying the user that their account session is being used. In this skill, which explicitly targets personalized scraping/recommendation across platforms and mentions automatic cookie acquisition, silent authenticated requests increase the risk of privacy invasion, account misuse, and violation of platform protections.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Accessing stored platform cookies from disk without a clear warning or consent mechanism is a privacy and credential-handling vulnerability because the user may not realize their session secrets are being consumed. Given the skill metadata explicitly advertises automatic cookie retrieval, this is more suspicious than a normal utility script and suggests covert credential use is part of the design rather than an incidental implementation detail.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The keyword comes from sys.argv and is interpolated directly into a shell command without escaping, validation, or any confirmation step. Because the skill is intended to accept natural-language user requests, an attacker can supply crafted input that breaks out of the quoted argument and executes arbitrary shell commands.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly directs solicitation, storage, and reuse of platform cookies and preference data in local files, creating a persistent repository of sensitive user-provided information. Because the data includes authentication material and behavioral preferences, compromise or misuse can lead to account access, privacy invasion, and profiling beyond the original task.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill instructs persistent logging of tastes and search history for future personalization, which creates an unnecessary retention path for personal preference data. Even if not as severe as cookie storage, this profiling data can reveal intimate interests and becomes sensitive when linked to accounts or reused across sessions without clear limits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.