ClawHub

TKSeller

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for TKSeller automation, but it handles passwords, tokens, Discord authority, and background polling in ways users should review carefully before installing.

Install only if you trust the TKSeller publisher and are comfortable typing account credentials into chat, having them sent to the configured backend, allowing the skill to read OpenClaw gateway/channel credentials, register Discord commands, and run a background poller. Prefer a version that uses HTTPS, a safer login flow, scoped Discord registration, explicit polling controls, and documented token deletion/rotation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill directs the agent to invoke `node ./lib-js/trigger.mjs "<老板原始消息文本>"`, which includes raw login messages such as `登录 user password` on the command line. Command-line arguments are commonly exposed via process listings, shell history, logs, telemetry, or crash reports, so this can leak credentials even if the assistant does not echo them back to the user.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The module reads OpenClaw configuration and extracts the gateway bearer token directly from the user's home-directory credential file. This gives the skill implicit access to sensitive local credentials and downstream channel configuration without clear consent boundaries, increasing the blast radius if the skill is modified, compromised, or misused.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README explicitly instructs users to send usernames and passwords in chat using plain-language input, and states that the login will be automatically saved. This exposes credentials to chat logs, platform operators, bots, screenshots, and any compromised channel integrations, making credential theft and account compromise significantly more likely.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger set includes broad everyday words like “开始”, “推荐”, and “带货”, and the skill mandates execution whenever they appear. This raises the risk of unintended activation, causing network calls, account-flow prompts, command registration, or background polling in response to ordinary conversation rather than deliberate user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill initiates account handling, persistent local storage (`token.json`, state files), command registration, and recurring cron polling with minimal user-facing disclosure. Hidden persistence and background activity reduce informed consent and can surprise users with ongoing processing or retained secrets/state after a single trigger.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code derives a persistent device identifier from BIOS UUID or machine-id and does so by invoking platform commands, then hashes and sends that identifier during authentication. Even though the value is transformed, it still enables stable device fingerprinting without any visible consent, notice, or opt-out in this file, creating privacy and tracking risk beyond what is necessary for basic API access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The login function transmits username, password, and a persistent device identifier to a server, but this file contains no enforcement that the configured base URL uses HTTPS and no user-facing disclosure about the device ID being sent. If the base_url is misconfigured to HTTP or an untrusted endpoint, credentials and tracking data could be exposed in transit or sent to an attacker-controlled service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The gateway token is loaded from a sensitive local config file with no user-facing disclosure or permission check. Even if not immediately exfiltrated in this file, silently consuming a reusable bearer token enables privileged gateway actions and creates an unsafe trust model for skill code.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script enumerates every guild the bot belongs to and automatically performs POST requests to register a slash command in each one, with no confirmation, scoping control, dry-run mode, or allowlist. In a skill context, this can cause unintended mass changes across all connected Discord servers and expands the blast radius of any mistaken execution or malicious configuration, even though it is not direct code execution or credential theft.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill solicits and transmits raw usernames and passwords through chat-driven interaction without any explicit warning about the sensitivity of those credentials or guidance on secure handling. In agent/chat environments, users may assume the channel, logs, upstream model, or integrations could retain message contents, increasing the risk of credential exposure beyond the intended API call.

Ssd 3

High
Confidence
99% confidence
Finding
The documentation directs users to submit credentials directly in chat as normal text, which is an unsafe authentication pattern. In the context of Discord/webchat interaction, this is more dangerous because messages may be retained, viewed by administrators, exposed through integrations, or mishandled by the agent platform, enabling credential disclosure and downstream account takeover.

Ssd 3

High
Confidence
97% confidence
Finding
The documented login flow asks users to submit account credentials through normal chat interaction and persists authentication material locally in `data/token.json`. Collecting credentials in-band and normalizing local secret storage increases the chance of exposure through logs, backups, filesystem access, debugging artifacts, or accidental mishandling by surrounding tools.

Ssd 3

High
Confidence
94% confidence
Finding
The forced-trigger rule treats the user's next reply after a login prompt as credentials and requires the skill to capture and process it. This creates a coercive pattern that can misclassify unrelated follow-up messages as secrets and increases the likelihood that sensitive data will be collected and routed automatically without clear reconfirmation.

Ssd 3

High
Confidence
93% confidence
Finding
The skill documentation normalizes persistent storage of authentication tokens and repeated credential prompting as routine operation. Treating secret retention and re-entry as ordinary behavior increases long-term exposure risk and encourages implementations that lack secure storage, minimization, and lifecycle controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal