ClawHub

头脑风暴 · 从想法到设计

Security checks across malware telemetry and agentic risk

Overview

This is a design-planning skill with an optional local browser companion; its server and logging behavior are real but mostly disclosed, local, and aligned with showing mockups and recording choices.

Install this if you want a strict design-before-implementation workflow. Expect it to read project context, create and commit spec files, and optionally run a localhost browser server that stores mockups and browser selections. Keep the companion bound to localhost when possible, avoid --host 0.0.0.0 on untrusted networks, and add .superpowers/ to .gitignore if companion artifacts should not be committed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill presents itself as a brainstorming/design-only workflow, but its instructions introduce a browser-based 'visual companion' with external state, local URL opening, session handling, and backend interaction per the static finding. That is a meaningful capability expansion beyond the declared purpose, which can mislead operators into approving tool use or local service activity they did not expect from a planning skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file establishes a persistent WebSocket connection, streams queued client events, and accepts server messages that can trigger page reloads. For a brainstorming skill whose stated purpose is exploring intent and requirements, this introduces hidden telemetry and remote control behavior that exceeds expected functionality and increases attack surface.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client blindly trusts any WebSocket message with type 'reload' and immediately reloads the page, giving the remote endpoint page-control capability. Even if intended for development convenience, this can be abused to disrupt user workflows, repeatedly reset state, or mask other malicious activity, and it is not justified by the skill's brainstorming purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file implements a local HTTP/WebSocket server that serves HTML from disk and injects a helper script into rendered pages, which is materially broader than a brainstorming-only skill description. Even if intended as a local companion UI, this expands the attack surface by exposing network listeners, rendering potentially untrusted HTML, and creating a browser-execution path that could be abused if an attacker can influence the content directory or connect to the service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The server accepts interactive WebSocket connections without authentication, origin validation, or any real access control beyond binding to the configured host. A local or nearby attacker who can reach the port could send arbitrary messages that are logged and persisted, or drive the companion behavior, making this unjustified interactive service risky in the context of a brainstorming skill.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code watches a filesystem directory, logs screen-change events, deletes and rewrites state files under /tmp, and persists user choice events. For a brainstorming skill, this is unnecessary persistent behavior that can leak sensitive interaction data, create tamper opportunities in a shared temporary directory, and broaden the consequences if another local process can manipulate those paths or files.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill goes beyond visual brainstorming guidance and instructs the agent to start a local HTTP server, create persistent files, and manage session state on disk. That broadens the skill from presentation assistance into system operation and data persistence, increasing attack surface and the chance of unintended file exposure or misuse in environments where users do not expect a brainstorming skill to run services.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file provides detailed instructions for launching and maintaining a background web server across environments, including remote/container scenarios and non-loopback binding. Even if intended for UX, this grants operational behavior not obviously justified by a brainstorming skill and can expose local content or state to other processes or network peers if misconfigured.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill says it 'MUST' be used before essentially any creative or functional change, making its trigger scope extremely broad. In practice this can force unnecessary project/context inspection, file access, and process flow changes across many requests, increasing exposure and making it easier for hidden side effects in the skill to run in situations where they are not needed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Queued events are sent over the WebSocket as JSON without any visible disclosure or consent mechanism, and the connection uses ws:// derived from the current host rather than a secure authenticated channel. This creates covert collection of user interaction data and risks exposure or interception of telemetry, especially on non-local or untrusted networks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The click handler captures textContent, dataset values, and element IDs from user-selected UI elements and transmits them to the server without warning. In a brainstorming context, these fields may contain sensitive ideas, project names, or internal identifiers, so undisclosed collection is more dangerous because users would not reasonably expect monitoring from a design-assistance skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill says browser clicks and selections are recorded to `state_dir/events`, but it does not instruct the agent to clearly disclose this collection to the user before interaction. Recording interaction telemetry without an explicit user-facing notice can create privacy and trust issues, especially when the browser is used as an auxiliary interface rather than an obvious logging surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance explicitly recommends binding the server to `0.0.0.0` when localhost is unreachable, but omits a warning that this may expose the service to other hosts on the network. In skill context, that is more dangerous because the same server is serving generated HTML and maintaining interaction state, so accidental exposure can leak session data or allow unintended access to the active interface.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal