ClawHub

度小满天气商户

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed paid weather-service integration, but it needs review because its bundled QR helper can silently send arbitrary QR contents to dxmpay and write files despite narrower local comments and options.

Install only if you trust dxmpay.com with weather queries, account identifiers, payment links, and any QR contents generated by the bundled helper. Review payment destinations before scanning, use a strong private-key password, and clean up generated QR PNG files and local config as needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script claims to be a local QR generator but actually sends the full input to an external shortening service and may replace the original content with a third-party short URL before encoding. This creates an undisclosed data exfiltration path and changes the semantic meaning of the QR code, which is especially risky if inputs contain internal links, tokens, customer data, or operational URLs.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
A weather-service skill containing QR generation plus external short-link creation is materially outside its declared purpose, which increases suspicion and reduces the likelihood that users or reviewers expect network transmission or file output. Capability mismatch in an agent skill is dangerous because it can hide covert data handling or unauthorized side effects behind an unrelated trigger surface.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments describe a local, dependency-free generator and suggest file saving is optional, but the implementation performs outbound network access and always writes a PNG to disk. This kind of misleading documentation causes callers to make unsafe trust assumptions, leading to unintended data disclosure and filesystem side effects.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill accepts a server-supplied payUrl and immediately renders it as a QR code for payment without validating the destination, confirming the merchant, or constraining the URL to an allowlisted payment domain. If the service or network path is compromised, users could be redirected into phishing or fraudulent payment flows under the guise of topping up weather-service balance.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions include broad everyday phrases like asking about weather or usage records, which can cause the skill to activate in normal conversation without a sufficiently narrow scope check. In this skill's context, unintended activation is more dangerous because activation can lead to credential prompts, network calls, local config creation, and payment upsell flows.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code transmits user-supplied text/URL to a third-party shortening service without user-facing notice or consent. Even if intended for convenience, this exposes potentially sensitive inputs to an external operator and may violate privacy, compliance, or least-privilege expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes a PNG file to the current working directory regardless of the saveToFile option, creating an undisclosed persistent artifact. Unconditional file creation can leak data to shared workspaces, overwrite expected boundaries of a calling tool, and leave sensitive QR content on disk unexpectedly.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script writes a configuration file containing an encrypted private key and account identifiers to disk but does not set restrictive file permissions or warn the user that sensitive credential material is being persisted locally. On multi-user systems or in shared skill directories, other local users or processes may be able to copy the file and attempt offline password guessing against the encrypted key.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal