ClawHub

icp-exemption-skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to generate the promised Apple ICP exemption PDF, but it can silently make a host-level package installation and may ask for account-identifying details too broadly.

Review before installing. Use this only in an environment where an attempted system font installation is acceptable, or remove that apt-get fallback first. Do not provide real Team ID, legal name, or App ID unless you trust the chat and execution environment, and invoke it only when you explicitly want to generate the Apple ICP exemption attachment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if font_name == "Helvetica":
        try:
            import subprocess
            subprocess.run(
                ["apt-get", "install", "-y", "-q", "fonts-wqy-zenhei"],
                capture_output=True, timeout=60
            )
Confidence
97% confidence
Finding
subprocess.run( ["apt-get", "install", "-y", "-q", "fonts-wqy-zenhei"], capture_output=True, timeout=60 )

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Attempting to install fonts via apt-get is not necessary for a PDF-generation skill and introduces unauthorized system modification. In an agent or sandbox context, this is especially dangerous because the skill may run automatically and perform package-management actions without explicit operator approval.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description says to trigger immediately on broadly related ICP/App Store China compliance topics, which can cause the agent to activate in conversations that are only tangentially related. Over-broad auto-triggering is dangerous because it may steer users into disclosing sensitive account information or invoking file-generation actions without clear intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The listed scenarios are ambiguous and lack scope limits, so the skill may activate for general compliance discussions, appeals, or policy questions that do not actually require document generation. In this context, that increases the chance of unnecessary collection of Team ID, legal name, and App ID, and may push users toward a process they did not request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks users to provide sensitive account-identifying information in chat, including Team ID, legal name, and App ID, without any privacy notice, minimization guidance, or handling safeguards. In a broadly triggered skill, this raises the risk of oversharing, retention of personal/business data, and disclosure in an unsuitable channel.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs a package installation without any user-facing warning or consent, creating an unexpected privileged side effect. While this is framed as a fallback for Chinese font support, hidden package installation violates least surprise and can break trust, policy boundaries, or immutable/containerized environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal