ClawHub

Knowfun

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Knowfun.io API client, but its setup and agent-use guidance gives it credential-backed, credit-spending access with weak warnings around secret storage, remote/natural-language execution, and data sent to the external service.

Install only if you are comfortable giving the skill a Knowfun.io API key and letting it send prompts, URLs, and task data to Knowfun.io. Prefer a temporary environment variable or a protected secret manager over adding the key to shell startup files, avoid sudo/manual symlink installs unless you have reviewed the files, and use approval gates before letting remote chat or natural-language prompts create tasks that may consume credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (51)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The document advertises OpenClaw capabilities such as autonomous workflows, browser automation, full file access, shell control, and self-written extensions even though the knowfun skill is meant for educational content generation. This unnecessarily broadens the operational scope around the skill and normalizes high-risk agent behavior without tying it to a legitimate need, which can encourage unsafe deployment in overly privileged environments.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes non-core operations such as credits, pricing, usage telemetry, and task listing in addition to educational content generation. In an agent-skill context, this broadens the tool's authority and can enable unnecessary access to account metadata and usage history, increasing data exposure and the chance of unintended actions beyond the user's expected task.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to export and persist an API key in shell startup files without warning that the secret will be stored in plaintext and may be exposed through shell history, backups, dotfile sync, or local compromise. This is not malware, but it is an insecure secret-handling practice that can lead to credential leakage and unauthorized use of the Knowfun API.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Cursor instructions say natural-language requests will cause Cursor to run CLI commands on the user's behalf, but they do not warn users that chat input may trigger command execution. In an agentic environment, that omission increases the risk of unintended or socially engineered execution, especially if prompts are copied from untrusted sources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Cline section encourages chat-based use that may automatically execute CLI actions, but it does not disclose that operational behavior or advise users to review what will be run. This can enable accidental task creation or abuse through prompt injection/social engineering in the agent context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The OpenClaw section presents natural-language usage, including remote chat-app contexts, without warning that commands may execute automatically in a remote or unattended environment. Because OpenClaw supports remote access, the omission is more dangerous here: a mistaken or malicious message could trigger real actions without local review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to append a live API key directly into shell startup files, which causes long-term plaintext credential storage on disk. This increases exposure through local compromise, backups, dotfile sync, screen sharing, and accidental publication, even though the content appears to be ordinary setup guidance rather than an attack.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This repeats the same insecure practice during Cline setup by telling users to write the API key into shell profile files without any warning. Repetition across install paths makes widespread insecure secret handling more likely and normalizes credential persistence as the default.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The OpenClaw instructions again recommend persisting the API key in shell configuration files, creating the same credential exposure risk. Because this is installation documentation, users are likely to copy-paste the commands verbatim, so the unsafe pattern has real operational impact.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The general setup section broadly recommends saving the API key to ~/.zshrc or ~/.bashrc without disclosing that this stores the secret in plaintext and may expose it via local access, backups, shell history workflows, or dotfile repositories. As a shared setup section for all platforms, it amplifies the insecure practice across the whole skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation tells users to set an API key in an environment variable but gives no guidance on secure handling, such as avoiding committing secrets to shell profiles, logs, screenshots, or shared environments. While exporting an environment variable is common practice, omitting security cautions in publishing/setup documentation increases the chance of accidental credential exposure and downstream account misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation instructions recommend a privileged global symlink via sudo into /usr/local/bin without any warning about trust, path integrity, or safer alternatives. Encouraging users to run root-level commands for a local script increases the chance of privilege misuse or installation of tampered code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section repeats sudo-based global installation guidance for another platform without any safety caveats. Repeatedly presenting privileged commands as standard setup can condition users to elevate permissions unnecessarily and expands the blast radius if the referenced script or working directory is compromised.

Missing User Warnings

High
Confidence
96% confidence
Finding
The OpenClaw section highlights remote control, persistent memory, browser automation, full file access, and shell control with no safety warning or constraints. Presenting these capabilities casually in a skill comparison is dangerous because it can normalize deploying the skill in a highly privileged, remotely reachable agent environment where compromise or misuse would have major consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The OpenClaw installation instructions again use a privileged global symlink without warning, now in the same section that promotes broad system access features. Combining root-level setup with an agent platform described as having shell and file control increases operational risk and could magnify the impact of a bad script, mistaken path, or later misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quickstart tells users to export the API key directly on the command line and append it to ~/.zshrc, which can expose the secret through shell history and leave it stored in plaintext in a startup file. For an API-backed skill, this increases the chance of credential disclosure to other local users, backup systems, dotfile sync tools, or malware on the host.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation flow downloads SKILL.md directly from a remote GitHub URL into the user's trusted skill directory with no integrity check, pinning, or review step. If the remote content, repository, branch, or transport trust is compromised, users could install altered instructions or behavior into a persistent agent skill location.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to append the Knowfun API key directly into ~/.zshrc, which stores a long-lived secret in plaintext in a shell startup file without any warning about local disclosure risk. That increases exposure through backups, shared accounts, dotfile sync, screen sharing, or accidental publication of shell configuration files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README clearly describes use of a third-party API for generating courses, posters, games, and films, but it does not explicitly warn users that their submitted text, documents, or URLs are sent off-device to Knowfun.io for processing. In a skill handling potentially sensitive educational or corporate materials, lack of a prominent disclosure can lead users to unintentionally transmit confidential data to an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup instructions advise persisting the API key in shell startup files such as ~/.zshrc without warning that these files may be broadly readable to the user account, copied into backups, exposed through dotfile syncing, or inherited into unrelated sessions. This increases the chance of credential leakage and long-lived compromise if the workstation or account is accessed by another process or person.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README repeatedly instructs users to submit text, document URLs, and other materials to the Knowfun.io API, but it does not clearly warn that these inputs are transmitted to an external third-party service. This can cause unintentional disclosure of proprietary, personal, or regulated data because users may assume the tool operates locally or may not appreciate the privacy implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation recommends persisting the API key in shell startup files such as ~/.zshrc without warning that this stores a long-lived credential on disk and may expose it through backups, dotfile syncing, shared accounts, or accidental commits. While common, this is still a credential-handling risk and should be documented with safer alternatives and caveats.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The callback and curl examples show direct submission of task content and authentication headers to external endpoints, but they do not explicitly warn that both the material and bearer token traverse the network and that callback URLs introduce another outbound data-sharing path. Users may copy these examples without recognizing the security and privacy consequences of sending sensitive content off-host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accepts free-form prompts and URLs for `create` operations and sends them to a third-party API, but it does not clearly warn users that their inputs may leave the local environment and be processed externally. This creates a privacy and data-handling risk: users may paste sensitive text, internal documents, or private URLs without informed consent, especially because the skill is user-invocable and framed as a content-generation helper.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API reference instructs users to send bearer API keys plus user-provided text or URLs to a third-party remote service, but it does not warn about privacy, confidentiality, retention, or consent requirements. In a skill that processes educational materials and potentially sensitive documents, this omission can lead to unintentional disclosure of proprietary, personal, or regulated content to an external processor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal