ClawHub

🏃 Coros

Security checks across malware telemetry and agentic risk

Overview

This COROS running-data skill is mostly coherent, but it can store reusable account session data and can modify or delete training schedules when configured to do so.

Install only if you trust this skill with your COROS account and private fitness history. Keep config.json private, do not commit or share cookies, tokens, p1, or p2 values, and leave demo_mode enabled or schedule_write.auto_apply=false unless you intentionally want the skill to change or delete COROS training schedule entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates it uses file read/write and network access, including local credential/config handling and remote API calls, but no permissions are declared. This creates a transparency and consent gap: a user or platform may treat it as low-risk read-only functionality while it can access local files, persist auth state, and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented primarily as a running-data retrieval and review tool, but the documented behavior includes modifying training schedules and calling additional planning endpoints not reflected in the stated purpose. This mismatch is dangerous because users may invoke what they believe is a read-only analytics skill while it has write-capable functionality that can alter account data or training plans.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The front-matter markets the skill as a running-data retrieval tool, but the body documents training schedule modification features. That discrepancy reduces informed consent and increases the risk of accidental invocation of state-changing operations under the guise of a passive reporting tool.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation frames the skill as a data reading/display tool for training review, yet later sections describe write operations that contradict that intent. In context, this makes the skill more dangerous because users seeking harmless analytics may trigger a component with account-modifying power.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The example configuration exposes write-capable schedule modification parameters even though the skill description presents the capability primarily as running-data retrieval. This can normalize or enable calendar/training-plan changes if downstream code reads these fields, creating a scope mismatch that may cause unauthorized or surprising state-changing actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a data-viewing and analysis tool for COROS running data, but the codebase includes primitives for modifying training schedules, including update and delete flows. This is dangerous because users or calling agents may authorize what appears to be read-only access while the skill can actually perform state-changing account operations, creating a scope mismatch with real integrity impact.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section implements account-data modification logic for adding, updating, and deleting training schedules, despite the skill being described as viewing and analyzing running data. Hidden write capability is dangerous because an invoking agent or user may not realize the skill can alter account state, enabling unintended schedule tampering or destructive changes if config is set or manipulated.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README documents schedule add/update/delete operations that go beyond the stated read-only running-data retrieval purpose of the skill. Even if framed as a 'safe mode', documenting hidden or broader write capabilities creates a scope mismatch that can mislead users and reviewers and may enable unintended modification of training schedules when configuration is changed.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation says the skill 'defaults to preview and will not write', but also explains how to enable real writes with auto_apply=true. This contradictory messaging can cause users or auditors to underestimate the risk of state-changing behavior, increasing the chance of accidental or unauthorized schedule modification.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad, conversational requests such as asking whether the user ran today or for recent running status. Overly generic triggers increase the chance of unintended activation, which is especially risky here because the skill handles authentication, reads private fitness data, and also documents write-capable schedule operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists access tokens, user IDs, and cookies into a local config file without protection, expiry metadata, encryption, or user-facing notice. If the local file is read by another user, process, backup system, or adjacent skill, the attacker may reuse authenticated session material to access the victim's COROS account data or act on their behalf.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to place COROS account identifiers and session cookies directly in config.json without a strong warning about credential sensitivity, storage protections, or leakage risks. If this file is uploaded, committed, or exposed, an attacker could reuse those secrets to access the user's account and private fitness data, and potentially perform account actions depending on token scope.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list contains many broad, generic phrases such as '运动数据', '数据分析', '训练计划', and '今天跑步了吗', which can match normal user conversation unrelated to an explicit request to invoke this skill. This increases the chance of unintended activation, causing the agent to access or expose sensitive fitness/account data when the user did not clearly intend to use the COROS integration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal