ClawHub

搜索网页规则管理(多平台增强版 - 安全加固)

Security checks across malware telemetry and agentic risk

Overview

The skill is useful and mostly transparent, but it needs review because it can store, upload, move, and delete search content across local files and cloud accounts with some inconsistent consent and safety guidance.

Install only if you are comfortable giving the agent access to the selected knowledge platform and reviewing each upload, move, migration, and delete. Prefer local Obsidian direct-file use with strict path validation, avoid unauthenticated Obsidian REST API, do not upload sensitive content to NotebookLM/Google Drive/Tencent/IMA, and keep backups or version history enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to save '待確認' and '自動通過' content into the temporary knowledge store before the user completes the confirmation step, while other sections claim updates happen only after explicit user approval. This inconsistency can cause unintended persistence of scraped content, including sensitive or copyrighted material, and undermines the user's expectation of approval-gated writes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The note says the agent should always update the URL library and save content only after user confirmation, but earlier instructions allow automatic knowledge-base creation and automatic handling of whitelist content. Such contradictory guidance can lead an implementing agent to perform state-changing actions without consent, creating unauthorized files, records, or retained content.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The example states that the skill creates a persistent config file under the user's home directory, which expands from search-rule management into local filesystem state changes. This is dangerous because it normalizes silent persistence and local configuration writes without clearly requiring informed consent, creating a foothold for unwanted tracking, state retention, or abuse by a modified skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states that all file operations validate paths within the Vault, but the operational examples earlier create, write, and move files using configured and derived paths without consistently invoking the validation helper. In a skill that manages filesystem content based on configuration, titles, URLs, and destination folders, this mismatch can lead implementers to trust unsafe examples and introduce path traversal or writes outside the intended Vault boundary.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The SECURITY.md file is entirely in Chinese while the skill requests significant permissions including filesystem access, browser automation, and handling of potentially sensitive search data. If operators or reviewers cannot read the guide, they may grant risky capabilities without understanding constraints, which undermines informed consent and safe deployment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example saves retrieved article content into temporary storage as part of the workflow, but it does not clearly warn the user that external content will be fetched and stored locally or in a knowledge base staging area. This can expose users to privacy, copyright, and data-retention risks, especially if the fetched material contains sensitive or unexpected content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow deletes files from temporary storage after archiving, but the example does not provide a clear user-facing warning about deletion behavior or whether recovery is possible. Silent cleanup actions can cause accidental data loss if users expected the temporary cache to remain available for review or rollback.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The configuration example persists settings in the user's home directory without a clear warning that local settings will be written and retained across sessions. Even if the stored fields appear low sensitivity, undisclosed persistence can violate user expectations and become a substrate for profiling or later misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This workflow uploads retrieved content into Tencent Docs temporary storage without explicitly warning that third-party cloud storage will be used. That increases privacy and compliance risk because externally fetched data may be transferred to another service provider without the user's informed approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Tencent Docs flow removes temporary files after processing, but the example does not explicitly warn the user that cloud-stored temporary content will be deleted. This can lead to unexpected loss of records and confusion about what remains stored remotely versus what has been archived elsewhere.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The migration example transfers stored data between platforms without a clear privacy warning about moving content to a different service with potentially different security, jurisdiction, and access controls. Cross-platform transfer increases exposure because users may not realize their stored URLs and article content are being replicated into a new environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs uploading fetched web content into a knowledge base but does not require a user-facing warning, consent check, or data-sensitivity review before storage. In this skill’s context, search results can contain copyrighted, personal, confidential, or prompt-injected content, so silently persisting them increases privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The deletion instructions describe removing knowledge-base files without a clear destructive-action warning or confirmation requirement. In an agent skill, this can lead to accidental or premature deletion of retained search records or user data, especially if the agent interprets cleanup instructions too aggressively.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The NotebookLM section recommends browser automation to log into a Google account and upload content, but does not place an explicit, immediate warning next to those steps that data will be sent to external Google services and that automated account actions may have privacy, policy, and credential-handling implications. In a skill that manages searched web content and knowledge-base migration, this omission can cause users or downstream agents to transfer sensitive material off-platform without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The migration guidance for moving data to NotebookLM describes exporting and uploading content but omits a direct warning that the migrated data will leave the current platform and be uploaded to Google-controlled services. Because this file is operational guidance for cross-platform data handling, the missing warning increases the risk of accidental disclosure of internal, private, or regulated content during migration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs deletion of processed documents from the knowledge base without any warning, confirmation requirement, or recovery guidance at the point of deletion. In an agent skill context, this can normalize or automate destructive actions and lead to accidental data loss, especially because the same file also describes routine content management workflows that may be executed repeatedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal