ClawHub

fadada-esign

Security checks across malware telemetry and agentic risk

Overview

This is a FaDaDa e-signature integration that performs sensitive but expected contract upload, signing, status, and download workflows.

Install only if you intend to use FaDaDa for contract signing. Confirm the contract, signer identities, phone numbers, provider endpoint, and output paths before running send, batch, download, or cancel commands; prefer environment variables or a secure secret store for API secrets, restrict config-file permissions, and treat signing links and downloaded contracts as confidential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Tainted flow: 'upload_url' from requests.post (line 148, network input) → requests.put (network output)

Medium
Category
Data Flow
Content
file_id = upload_info.data.file_id
            
            with open(file_path, 'rb') as f:
                requests.put(upload_url, data=f)
            
            return file_id
        else:
Confidence
89% confidence
Finding
requests.put(upload_url, data=f)

Tainted flow: 'upload_url' from requests.post (line 148, network input) → requests.put (network output)

Medium
Category
Data Flow
Content
file_id = result["data"]["file_id"]
            
            with open(file_path, 'rb') as f:
                requests.put(upload_url, data=f)
            
            return file_id
Confidence
92% confidence
Finding
requests.put(upload_url, data=f)

Tainted flow: 'upload_url' from requests.post (line 126, network input) → requests.put (network output)

Medium
Category
Data Flow
Content
# 上传文件
            with open(file_path, 'rb') as f:
                requests.put(upload_url, data=f)
            
            return file_id
        else:
Confidence
89% confidence
Finding
requests.put(upload_url, data=f)

Tainted flow: 'upload_url' from requests.post (line 126, network input) → requests.put (network output)

Medium
Category
Data Flow
Content
# 上传文件
            with open(file_path, 'rb') as f:
                requests.put(upload_url, data=f)
            
            print(f"文件上传成功,File ID: {file_id}")
            return file_id
Confidence
89% confidence
Finding
requests.put(upload_url, data=f)

Tainted flow: 'download_url' from requests.post (line 159, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"正在下载文件: {file_name}")
        
        # 下载文件
        file_response = requests.get(download_url)
        if file_response.status_code != 200:
            raise Exception(f"下载文件失败: HTTP {file_response.status_code}")
Confidence
94% confidence
Finding
file_response = requests.get(download_url)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents access to environment variables, local file read/write, and outbound network use, but does not declare any permissions. That creates a transparency and consent problem: an agent or user may invoke a skill expecting simple contract help while it can also access credentials, persist local state, and transmit data externally. In a document-signing context, those capabilities touch sensitive contracts and API secrets, so undeclared access materially increases risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior exceeds the declared purpose by including cancellation, template-based task generation, bulk/concurrent operations, local configuration management, and callback-signature utilities. This mismatch undermines informed use and review because higher-impact functions—especially destructive or large-scale ones—may be available without being advertised up front. In an e-sign workflow, hidden cancellation or bulk-send capabilities could disrupt business processes or trigger unintended signing operations at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages uploading contracts, sharing signer names and phone numbers, and exposing signing links to a third-party e-sign service without warning users that sensitive documents and personal data will leave their local environment. In a contract-signing skill, that omission can lead to uninformed data disclosure, compliance issues, and accidental sharing of confidential signing URLs.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad, common expressions such as '发合同' and '电子签', which can match ordinary conversation and cause accidental invocation. Mis-triggering matters here because the skill can read configuration, access sensitive files, and initiate real external signing workflows. In a business setting, an accidental activation could expose contract metadata or start unintended signing actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, common phrases such as '发合同', '电子签', and '下载合同', which can match routine user requests without confirming intent to use this specific skill. In a skill that can initiate legally significant signing workflows and send notifications to counterparties, overbroad triggering can cause unintended invocation and accidental contract operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section documents high-impact task-control operations such as cancel, block, finish, abolish, delete, and extension without clearly warning the agent or end user that these actions may be irreversible or materially affect legal signing workflows. In an agent skill context, omission of such guardrails increases the chance that an automated assistant could execute destructive contract actions from ambiguous or insufficiently confirmed user requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accepts the API secret directly as a command-line argument, which can expose the credential through shell history, process listings, audit logs, or job runners. In a signing/contract workflow, leakage of this secret could let an attacker generate valid API signatures and impersonate the integration toward the e-sign service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints signer-specific sign URLs to stdout, which can expose bearer-style access links in shell history, logs, CI output, terminal recording, or shared consoles. In an e-signature context, these URLs may grant unauthorized parties direct access to signature flows or sensitive contract details, making the context especially sensitive.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The function writes downloaded contract content directly to a caller-supplied path without validation or confinement to a safe directory. In an agent setting, a malicious prompt or unsafe higher-level caller could supply sensitive filesystem targets, causing overwrites of arbitrary local files or placement of untrusted content in risky locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script’s documented usage requires passing the app secret as a positional command-line argument, which can expose the credential through shell history, process listings, audit logs, or job runners. In this skill context, the secret is an API credential for contract-signing operations, so exposure could let an attacker generate valid request signatures and misuse the FASC integration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script consumes a sensitive credential and prints authentication headers containing a valid signature, timestamp, message ID, and app ID. While this does not directly print the secret itself, the emitted material may be captured in terminal logs or automation output and could be replayed or abused if accepted by downstream systems, especially because this skill is designed to perform contract-signing actions.

Session Persistence

Medium
Category
Rogue Agent
Content
**方式二:配置文件**
```bash
# 创建配置文件
mkdir -p ~/.fadada
cat > ~/.fadada/config.json << EOF
{
  "app_id": "your_app_id",
Confidence
90% confidence
Finding
mkdir -p ~/.fadada cat > ~/.fadada

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal