ClawHub

AI Promo

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed promo lookup, submission, and subscription tool, but it uses a remote service and persistent local identifiers that users should understand before installing.

Install only if you are comfortable with a remote promo service creating a local user ID, sending that ID with promo API requests, storing subscription state in your home directory, and accepting user-submitted promo links for review. Enable any cron-based daily push deliberately, and remove ~/.promo_user_id, ~/.promo_subscribers.json, or ~/.promo_push.log if you want to clear local state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes local shell scripts and uses filesystem paths, but it does not declare those capabilities or permissions. This creates a transparency and trust problem: an agent or user may believe the skill is read-only promo lookup while it can execute code, write files, and interact with the system, increasing the blast radius if the scripts are unsafe or modified.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is querying promotions, but the skill also persists identifiers, manages subscriber state, supports remote submission of user-provided content, and defines a cron-based push workflow. That mismatch is security-relevant because users are not clearly informed that using the skill causes local persistence and outbound data flows beyond a simple lookup, undermining informed consent and making abuse or privacy harm more likely.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script implements a cron-driven proactive push workflow, including iterating over stored subscribers and updating delivery state, which goes beyond a simple on-demand promo query skill. In an agent-skill context, this increases risk because it creates persistent outbound messaging behavior that users may not expect from the stated skill description, enabling unsolicited notifications and broader abuse if subscriber data is poisoned or consent is unclear.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill stores a persistent subscriber database and delivery log in the user's home directory, which introduces data retention and privacy risk unrelated to a simple informational lookup skill. In this context, persistence makes the behavior more dangerous because it enables ongoing tracking of channels and send history, and those files may be read, modified, or reused by other local processes without safeguards.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
Although the comment claims message sending still needs integration, the function already performs state-changing bookkeeping by marking last_sent in the subscription file. This mismatch is risky because operators may believe the code is inert or incomplete while it is already mutating persistent state, which can hide side effects, interfere with later delivery logic, or be used to suppress expected notifications.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says it queries promo information, but this script collects user-provided content and submits it to a remote API. That mismatch is security-relevant because users and calling agents may authorize a read-only/info-retrieval skill while unknowingly triggering data submission to an external service, creating a deceptive data-flow and consent problem.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script generates and persists a local user identifier in ~/.promo_user_id even though the advertised purpose is promo lookup, not account linkage or tracking. Persistent identifiers enable cross-session correlation of user activity and add privacy risk, especially when transmitted alongside submitted content to a remote service.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script persists subscription state in a local file and enables daily push behavior, which materially expands the skill from simply querying promo information into ongoing user tracking and retention. That creates privacy and consent risk because channel and user identifiers are stored indefinitely, and the manifest description does not clearly disclose persistent state or recurring notifications.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script creates and persists a stable user identifier in $HOME/.promo_user_id even though the skill is described only as querying promotional information. A persistent identifier enables cross-session tracking and correlation of user activity, and the data collection is not transparent from the stated skill purpose, making this a real privacy/security concern.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file implements identity management functionality that is broader than what is needed for a simple promotions lookup skill. Even if the identifier is random, maintaining it across runs creates unnecessary tracking capability that could be used to profile users or associate future requests with prior behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad triggers such as terms related to discounts, referrals, free tokens, and赚钱 can cause the skill to auto-activate in ordinary conversation where the user did not intend to invoke it. Because the skill performs stateful and networked actions, accidental activation can lead to unnecessary identifier creation, remote requests, or exposure of promotional/referral content without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The automatic activation rules describe when to run but not when not to run, and they do not distinguish harmless lookups from higher-risk actions like submission or subscription management. In an agent environment, ambiguous boundaries increase the chance of unintended execution and make it harder to enforce least surprise and consent for persistent or external operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill stores a persistent user ID and subscriber data locally and sends the user ID to a remote API, but the user-facing description does not clearly disclose these behaviors. This is a privacy and consent issue: persistent identifiers enable cross-session tracking, and undisclosed local storage and remote transmission may violate user expectations or platform policy.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits each subscriber's user_id to a remote third-party endpoint as a URL query parameter without any visible disclosure, consent handling, or minimization. In this skill context, that is more dangerous because the advertised purpose is promo lookup, yet the implementation quietly links subscriber identities to a remote service on a scheduled basis, creating privacy, tracking, and metadata leakage risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends a persistent user identifier to a third-party remote API on every query without any user-facing notice, consent flow, or minimization. Even if the identifier is pseudonymous, it enables cross-session tracking, query correlation, and behavioral profiling by the remote service, which is a real privacy/security issue in an agent skill context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently creates and stores a persistent identifier in the user's home directory, which establishes durable tracking across runs without transparency or permission. In a skill environment, hidden local persistence can surprise users and create privacy risk, especially when that identifier is later transmitted to a remote endpoint.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script both stores a local identifier and later transmits user-supplied promo data plus that identifier to a remote API, but provides no explicit notice or consent prompt about either action. In an agent-skill context, silent collection and transmission are more dangerous because users may assume local processing based on the skill description and may not realize a durable identifier is being created.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The regenerate path silently overwrites the stored identifier file without any warning, confirmation, or audit trail. This is not severe on its own, but it can surprise users, disrupt account/linkage semantics, and hides stateful behavior that affects privacy and backend attribution.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal