ClawHub

xiaoya-auto-doing

Security checks across malware telemetry and agentic risk

Overview

This skill is meant for WHUT login and page capture, but it can use stored credentials on an arbitrary supplied URL and its workflow tells the agent to auto-submit answers without a clear approval step.

Install only if you trust this skill with WHUT credentials and can verify every target URL before running it. Do not let it auto-submit answers or forms unless you explicitly intend that action, and delete latest_page_dump.json after use if it contains private coursework, prompts, account data, or other sensitive text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The workflow explicitly states it will automatically answer and submit questions, which is a material capability beyond simple login and page capture. Expanding a skill from authentication/navigation into autonomous form submission creates undisclosed state-changing behavior that can trigger unauthorized actions, academic integrity violations, or unintended transactions on behalf of the user.

Description-Behavior Mismatch

Low
Confidence
85% confidence
Finding
Persisting captured page contents to a local JSON file is a behavioral side effect not disclosed in the skill description. Even if intended for convenience, local storage can retain sensitive page text, tokens, prompts, or personal data longer than expected and increase exposure to other local processes or later misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly sources credentials from environment variables or local secret files and captures authenticated page content, but it does not warn about secret exposure, session side effects, or the possibility that captured data may contain sensitive information. That increases the risk of accidental credential misuse, over-collection, or inappropriate sharing of page dumps produced from an authenticated session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow instructs the agent to load credentials from environment variables or a local secret file without any warning, scoping limits, or handling safeguards. This normalizes automated credential use in a broadly callable skill and increases the risk of accidental secret exposure, unintended account access, or reuse of credentials in the wrong context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow combines automatic credential submission with automatic answering/submission actions, yet provides no user warning that the skill will perform state-changing operations. This is dangerous because it can log in, alter account state, and submit content without contemporaneous consent, especially on a site handling assessments or gated workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently reads credentials from environment variables or a local secret file and immediately uses them for automated login. In a skill/agent setting, undisclosed credential use is security-relevant because it can surprise operators, bypass informed consent, and normalize secret handling without auditability or explicit approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script captures full page text and extracted questions, then writes them to `latest_page_dump.json` locally without any disclosure, minimization, or access control. If the page contains sensitive or proprietary data, this creates a persistent local copy that may be exposed to other tools, users, or later exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal