ClawHub

语雀 Skill

Security checks across malware telemetry and agentic risk

Overview

This Yuque automation skill matches its stated purpose, but it can make live authenticated changes and deletions with broad activation and weak confirmation safeguards.

Review this skill before installing. Use it only when you want an agent to manage your Yuque content, create a dedicated least-privilege token, prefer environment variables or a locked-down config file, and explicitly confirm any delete, TOC remove, bulk import, or non-dry-run replace operation. Use `--keep-doc` when removing TOC nodes unless you truly intend to delete the underlying document.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of capabilities that can read environment variables, access local files, write files, and make network requests to a cloud API, but it does not declare permissions up front. That creates a trust and review gap: an agent or user may invoke a skill with broader effective access than expected, including access to API tokens and local Markdown content, which is especially risky for a document-management integration.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI semantics are unsafe: the `remove` subcommand appears to delete only a TOC node, but `cmd_remove` sets `delete_doc` to true unless `--keep-doc` is provided. In a document-management skill, that mismatch can cause irreversible deletion of underlying content when a user intended only to detach an item from the table of contents.

Vague Triggers

High
Confidence
98% confidence
Finding
The activation rule is extremely broad: any mention of Yuque-related terms or even upload of a Markdown file can trigger the skill, even without an explicit request to use it. In a skill that can perform authenticated network actions and destructive document operations, overly broad auto-invocation can lead to unintended data access, remote changes, or credential use outside the user's clear intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The guidance says to prefer this skill even when the user describes generic publishing or reorganization tasks without naming Yuque, which makes the boundary between local document help and remote Yuque operations ambiguous. That ambiguity increases the chance that an agent will choose a cloud-connected skill and act on private repositories or documents when the user may have intended only local editing assistance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently supports destructive actions such as deleting documents and removing TOC nodes, and even notes that some removals delete associated documents by default, yet it does not require or recommend explicit confirmation before irreversible changes. In a broadly auto-triggered skill, this omission materially raises the risk of accidental loss of cloud-hosted content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The credential instructions tell users to store a Yuque API token in an environment variable or a local config file but do not emphasize that the token is sensitive or provide guidance on protecting it. Because the same skill uses file and environment access, weak credential-handling guidance can lead to token exposure through logs, shared home directories, backups, or accidental inclusion in exported artifacts.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document instructs users to supply a powerful `X-Auth-Token` and lists broad read/write/delete scopes, but provides no warning about token sensitivity, least-privilege scope selection, or the consequences of exposing that credential. In a skill designed for end-to-end automation of Yuque content, this increases the chance of credential mishandling and unsafe high-privilege use that could enable unauthorized access or destructive actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The repo API reference includes `DELETE /repos/:namespace` alongside create/update operations without any caution that deletion may be permanent and affect entire knowledge bases. Given this skill explicitly promotes autonomous management of repos and TOC structures, omission of a destructive-action warning makes accidental or overly broad deletion materially more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document deletion endpoint is presented as a normal API action with no indication that deleting by numeric document ID can permanently remove user-authored content. In the context of a bulk-capable automation skill, lack of an explicit warning or confirmation expectation raises the risk of unintended document loss at scale.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a true safety vulnerability because the destructive path is the default behavior and there is no prominent runtime confirmation or warning before deleting the underlying document. Given this skill is designed for automated end-to-end Yuque operations, a mistaken or loosely specified invocation could mass-delete content rather than merely reorganize TOC entries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal