ClawHub

IELTS Tuyaya Upload 雅思成绩一键上传

Security checks across malware telemetry and agentic risk

Overview

This skill sends IELTS review files and service tokens to tuyaya.online as advertised, with some privacy-sensitive behavior users should understand before using it.

Install only if you are comfortable sending IELTS review JSON and tuyaya auth tokens to tuyaya.online. Review files before batch upload, prefer token mode for account-bound data, and do not share printed tokens, dashboard links, terminal output, or chat logs containing them. Treat anonymous mode as pseudonymous because it can link uploads to a stable local identifier.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to use shell commands and make network requests, yet it declares no permissions or equivalent capability constraints. This creates a trust and containment gap: users and the platform are not properly informed that the skill can execute local commands and transmit data off-host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior extends beyond simple upload/view operations into account management, token recovery from shell startup files, browser-based authorization, and server-side data querying. This mismatch is dangerous because users may invoke the skill expecting a narrow upload helper while it accesses authentication material and performs broader account actions than disclosed.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script goes beyond publishing and performs local filesystem mutations under ~/.workbuddy/skills, including moving, backing up, and replacing installed skill directories. For a skill whose stated purpose is uploading review files and viewing dashboards, bundling installer-side persistence and mutation increases the blast radius and can unexpectedly alter a user's local agent environment.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script installs a global npm package and triggers login/publish actions, which are privileged environment-modifying operations unrelated to the end-user upload/dashboard behavior advertised by the skill. If run in the wrong context, it can modify the host toolchain and publish workflow state without clear user expectation, creating unnecessary supply-chain and environment risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script attempts to recover a login token by scraping shell rc files, which exceeds the minimum needed to upload a chosen JSON file and accesses unrelated credential storage. This behavior can silently harvest sensitive authentication material and then immediately transmit it to a remote service, increasing risk of credential misuse or accidental account compromise.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
In so-called anonymous mode, the script derives a stable identifier from hostname and username and also sends a visible user name. That creates persistent device/account tracking and leaks local identity information that is not necessary to upload review content, undermining the privacy expectation created by the feature description.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comments and UX describe the fallback as anonymous/guest-safe, but implementation sends stable host/account-derived identifiers plus a user name. This mismatch is security-relevant because it can mislead users into disclosing identity-linked metadata under false privacy assumptions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases such as 'dashboard' and '批量同步' can cause the skill to activate for unrelated user requests. Because the skill performs shell and network actions and may initiate authorization flows, accidental activation increases the chance of unintended data access or transmission.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation conditions include generic requests about viewing a dashboard rather than clearly limiting use to IELTS review upload/sync tasks. In context, this matters because activation can lead to token checks, browser authorization, and remote queries, which are more sensitive than passive dashboard navigation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The anonymous mode is not truly anonymous if it derives a stable identifier from hostname and username and transmits it to the server. Without a clear warning, users may unknowingly expose a persistent pseudonymous identifier that can support tracking or correlation across uploads.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script retrieves a login token from shell startup files and sends it in a JSON payload without an explicit warning or fresh confirmation. Tokens are bearer credentials, so silent collection and transmission materially increases the chance of credential exposure, misuse, or unintended account actions.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 4: 入库回查(仅 token 模式,可选但推荐)

```bash
curl -s https://tuyaya.online/api/ielts \
  -H 'Content-Type: application/json' \
  -d "{\"action\":\"getReviews\",\"token\":\"$IELTS_USER_TOKEN\",\"book\":5,\"test\":4}" \
  | python3 -m json.tool
Confidence
89% confidence
Finding
curl -s https://tuyaya.online/api/ielts \ -H 'Content-Type: application/json' \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal