ClawHub

Beike Xiaoqu Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Beike real-estate research helper, but users should understand it automates Chrome and can optionally send housing requirements to configured AI models.

Install only if you are comfortable letting an agent control a Chrome tab through mcp-chrome and save Beike-derived files locally. Use a dedicated browser profile or Beike-only tab when possible, review the chosen output directory after runs, and enable consensus mode only when you are willing to share your budget, location preferences, and candidate list with the PAL/model provider you configured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases include broad natural-language requests like checking a neighborhood or finding candidate communities, which may overlap with ordinary conversation and cause accidental activation. Mis-triggering is dangerous here because the skill can launch browser automation, call local MCP services, and write files without the user intending those side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly states that mcp-chrome lets an agent control the browser using the user's already authenticated session, but it does not pair that capability with a clear warning about access to private account data, cookies, and sensitive in-session actions. In this skill context, that omission is more dangerous because the skill is designed to browse a live real-estate site via a logged-in browser, so an operator could underestimate the privacy and account-risk implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples demonstrate arbitrary JavaScript execution in an open browser tab without warning that the same mechanism can read sensitive page content, DOM data, and potentially trigger state-changing actions in authenticated web apps. In the context of an agent skill that automates a user's browser, this materially increases risk because the boundary between benign scraping and invasive session abuse is very thin.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The screenshot example persists captures to the local Downloads directory without warning that screenshots may contain personal information, account details, or other sensitive authenticated content. While lower severity than arbitrary JS execution, silent local persistence creates a real confidentiality risk, especially on shared machines or when other software syncs or indexes Downloads.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends detailed housing candidate data and user requirements to external PAL/MCP-backed models without any consent gate, warning, masking, or data-minimization step. Even if the data seems business-oriented, it can still reveal sensitive preferences, budget, location intent, and proprietary scraped datasets to third-party model providers or logging infrastructure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script enumerates existing Chrome windows/tabs, selects a tab matching ke.com or falls back to the first available tab, then runs JavaScript to read page text through the local MCP Chrome service. This can access content from an already-authenticated browser context without clear consent at runtime, creating a privacy boundary issue and potential unintended exposure of browser session data if the wrong tab is selected or the MCP service is broader than expected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal