ClawHub

通用报告生成器 consulting-report-generator

Security checks across malware telemetry and agentic risk

Overview

This report generator is a Review case because it can automatically process uploads, scan local skills, persist data, send reports externally, and rewrite its own skill files.

Install only if you are comfortable with a report skill that can inspect uploaded documents, perform network research, use a local model endpoint, write local extraction/log files, scan installed skills, and send finished reports to external channels. For sensitive documents, disable self-evolution/self-repair, local skill scanning, automatic delivery, and web search unless explicitly approved per run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Tainted flow: 'req' from os.environ.get (line 61, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
try:
        import urllib.request
        req = urllib.request.Request(f"{OLLAMA_HOST}/api/tags")
        with urllib.request.urlopen(req, timeout=5) as resp:
            data = json.loads(resp.read())
            return len(data.get("models", [])) > 0
    except:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=5) as resp:

Tainted flow: 'req' from os.environ.get (line 61, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)
    
    try:
        with urllib.request.urlopen(req, timeout=120) as resp:
            data = json.loads(resp.read())
            return data.get("response", "")
    except Exception as e:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=120) as resp:

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs autonomous self-modification of its own SKILL.md and reference files based on runtime issues and feedback. Self-modifying behavior is highly risky because it enables persistence, policy drift, and potentially attacker-influenced changes to future executions, especially when user input and execution errors are fed back into the modification loop.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatically scanning and integrating other local skills is unrelated to generating a report from user content and expands the trust boundary to the entire local skill set. This can expose metadata about installed skills, create unexpected cross-skill invocation paths, and allow unsafe composition without user awareness.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill frames itself as a report generator but also mandates automatic delivery of generated files to WeChat, email, or Tencent Docs. This is a direct onward-disclosure path for potentially sensitive user materials and generated analyses, and is especially dangerous because it is presented as a required workflow step rather than an optional, separately consented action.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes creation of automated post-generation delivery tasks, extending disclosure beyond the immediate user request into persistent automation. That creates ongoing exfiltration risk if future reports contain confidential content or if the destination remains enabled unintentionally.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The requirements explicitly add autonomous scanning of `~/.workbuddy/skills/` to discover other local skills, which exceeds the stated purpose of generating reports. Inspecting unrelated local skill files creates unnecessary access to local data and expands the trust boundary, increasing the chance of unintended data exposure or capability abuse if the scanned content is sensitive or adversarial.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented self-repair behavior allows the skill to write into `SKILL.md`, update helper definitions, and append new checks automatically. A report generator should not modify its own skill files or operational definitions during normal use; this creates a self-modifying system that can corrupt trusted configuration, introduce persistence, and be steered by malformed inputs or adversarial feedback.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The WeChat push/delivery workflow introduces external transmission of generated files, which is not part of the core declared purpose and materially changes the risk profile. Sending outputs to an external mini-program can leak sensitive report content, metadata, or attachments if triggered unexpectedly or without strong user confirmation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This module defines a persistent self-evolution subsystem that scans the user's local ~/.workbuddy/skills directory and records information about other installed skills. That behavior exceeds the core purpose of report generation and creates unnecessary local inventorying of user environment data, which can expose sensitive metadata about installed capabilities and user workflows if misused or later exfiltrated.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code actively enumerates other local skills, reads their SKILL.md files, scores relevance, and persists discovered entries. In the context of a reporting skill, this is unnecessary capability expansion that increases attack surface and enables unauthorized profiling of the local agent ecosystem, especially because the broader skill description says uploads can auto-trigger the skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code directly overwrites the skill's own SKILL.md via save_skill_md(), enabling autonomous modification of documentation outside the expected scope of a consulting report generator. Even if intended for maintenance, self-modifying behavior can hide changes, alter operator expectations, and create a persistence mechanism for future unsafe behavior without explicit approval.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill persistently creates and rewrites local evolution and error-tracking files as part of an autonomous self-improvement system. This exceeds normal report generation, introduces undeclared statefulness, and can accumulate sensitive operational data or create a foothold for stealthy behavioral drift over time.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section automatically edits SKILL.md based on runtime errors, including appending new entries and altering documented behavior. In the context of a report generator, self-modification is especially risky because it allows the skill to redefine its own operating instructions and can be abused to entrench unauthorized capabilities or conceal prior failures.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatically incrementing the version in SKILL.md during runtime is not necessary for generating consulting reports and creates unauthorized metadata changes. While lower risk than full content rewriting, it still enables silent mutation of the skill package and can interfere with auditability, release management, and trust in version provenance.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger conditions are overly broad, including generic phrases and auto-triggering whenever a user uploads any content. In a document-processing skill with networking, file writes, local scanning, and delivery behavior, broad triggers materially increase the chance of accidental activation on sensitive uploads.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Phrases like 'supports any content input' and 'automatically identifies content type' leave the applicability boundary undefined. In context, that ambiguity is risky because the skill may process sensitive or unsupported material without adequate user understanding of how far the workflow extends.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill describes scanning local skills, tracking usage, recording errors, and writing logs, but does not provide clear user-facing notice about data retention and system impact. This is dangerous because user inputs, file metadata, and interaction history may be persisted without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill performs online search, web fetching, and material collection without clearly warning that user-derived keywords, topics, or extracted document content may be sent to external services. In a report-generation context, uploaded materials may contain confidential project, customer, financial, or strategic information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow mandates pushing generated files to external destinations but lacks a prominent warning about disclosure risk. Because the inputs are user-supplied business documents and the outputs may contain expanded analysis, automatic transfer can leak highly sensitive content outside the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill specifies automatic logging of usage, errors, and improvements plus file updates, but the document does not describe user notice, consent, retention limits, or data minimization. For a tool that may process arbitrary uploaded documents, silent local persistence can capture sensitive business content, filenames, or behavioral telemetry without the user's awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatic inspection of the local skills directory is described without any user-facing warning or consent flow. Even if intended for feature discovery, silently reading local skill files can expose unrelated prompts, secrets, or proprietary configurations and is especially risky because skill files are potentially adversarial and outside the report generator's scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The requirements call for automatic web/material search and local caching without a privacy or network-use warning. This can cause uploaded content or derived keywords to be sent to external services and stored locally, which may reveal confidential project topics, customer names, or internal terminology during routine report generation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The WeChat mini-program delivery feature transmits generated files externally but the document lacks an explicit warning about data egress. Because reports may contain sensitive corporate information, undisclosed external transmission creates a significant confidentiality risk and can violate user expectations or organizational policy.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code overwrites SKILL.md without user confirmation, warning, or any review gate. Undisclosed writes to core skill files are dangerous because they can alter functionality and instructions silently, making misuse or accidental corruption harder to detect in a skill that users expect only to generate documents.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal