ClawHub

Moark Text Moderations

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Gitee AI text-moderation helper that sends user-provided text to an external API using a required API key.

Install only if you are comfortable sending moderated text to Gitee AI. Prefer using the GITEEAI_API_KEY environment variable rather than passing the key on the command line, avoid submitting secrets or regulated data unless Gitee AI's terms fit your needs, and install the Python dependency in a trusted environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares an environment requirement for `GITEEAI_API_KEY` and instructs execution of a bundled Python script, but it does not explicitly declare corresponding permissions. This creates a transparency and governance gap: the skill can access sensitive configuration and make external requests without clearly signaling that capability to users or reviewers.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends user-supplied text to an external GITEE AI moderation API but does not clearly warn that the text will leave the local/system boundary. This can expose sensitive, personal, regulated, or proprietary content to a third party without informed user consent, which is especially risky because moderation workflows often involve abusive or highly sensitive text.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-supplied text to an external moderation service, but it does not clearly warn the operator that potentially sensitive or regulated content will leave the local environment. In a moderation skill, remote submission is expected, but the lack of an explicit privacy/data-handling notice can still cause accidental disclosure of secrets, personal data, or confidential text.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal