ClawHub

Scalingup Daily

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised report generation, but it automatically publishes through stored cloud credentials and has credential-handling and helper-script risks that need review.

Install only if you want reports automatically uploaded to IMA and Tencent Docs. Before enabling automation, confirm the IMA knowledge-base ID is yours, restrict credential-file permissions, avoid exposing terminal logs or API responses, review the first generated report before publishing, and ensure the COS upload helper comes from a trusted installed IMA skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--expired-time", str(cos_credential["expired_time"])
    ]
    
    result_cos = subprocess.run(cos_cmd, capture_output=True, text=True)
    print("COS stdout:", result_cos.stdout)
    if result_cos.stderr:
        print("COS stderr:", result_cos.stderr)
Confidence
89% confidence
Finding
result_cos = subprocess.run(cos_cmd, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file dynamically locates and executes a Node.js helper script from the local skill installation tree, which materially extends the script's behavior beyond the visible Python code. In this context, that is dangerous because the helper receives cloud upload credentials and the target file, so any substituted helper can silently exfiltrate data or abuse the temporary COS access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation guide instructs users to write IMA API credentials directly into plaintext files under ~/.config/ima with no warning about secret sensitivity, file permissions, backup exposure, or local compromise risk. This creates a real credential-handling weakness because API keys can be read by other local processes, captured in backups, or left behind indefinitely, increasing the chance of unauthorized access to the IMA knowledge base.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide retrieves a Tencent Docs token in the shell and registers it without warning that the token is sensitive or may leak through shell history, process inspection, terminal logs, or copy/paste into shared environments. Because this token appears sufficient for authenticated API access, accidental disclosure could let an attacker interact with the user's Tencent Docs integration until the token expires or is revoked.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly directs the agent to use stored credentials from local config files and to publish generated content to two external platforms, but it does not require any user confirmation or disclose that external transmission will occur. This creates a real risk of unintended data exfiltration, unauthorized actions under the user's accounts, and misuse of privileged API tokens if the skill is triggered in an automated or ambient context.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill mandates writing output to a workspace file but does not inform the user that a local file will be created. While less severe than credentialed publishing, undisclosed file creation can still surprise users, overwrite expected artifacts, or leave sensitive research summaries on disk without the user's awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal