ClawHub

MeterSphere

Security checks across malware telemetry and agentic risk

Overview

This MeterSphere skill is a real API integration, but it gives an agent broad authenticated read/write access with weak scoping and some avoidable credential-handling risks.

Install only after reviewing the scripts and using least-privilege MeterSphere credentials. Set a trusted METERSPHERE_BASE_URL, avoid METERSPHERE_HEADERS_JSON unless necessary, set explicit project/template/version IDs, do not share verifier output, and treat raw or write commands as actions that can modify live MeterSphere data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tainted flow: 'req' from os.environ.get (line 122, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
def request_json(method, path, body=None):
    data = None if body is None else json.dumps(body, ensure_ascii=False).encode('utf-8')
    req = urllib.request.Request(BASE_URL + path, data=data, headers=headers(), method=method)
    with urllib.request.urlopen(req, timeout=60) as r:
        return json.loads(r.read().decode('utf-8', errors='replace'))

def request_multipart(method, path, fields=None, files=None):
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as r:

Tainted flow: 'req' from os.environ.get (line 122, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req_headers['Content-Length'] = str(len(body))
    
    req = urllib.request.Request(BASE_URL + path, data=body, headers=req_headers, method=method)
    with urllib.request.urlopen(req, timeout=60) as r:
        return json.loads(r.read().decode('utf-8', errors='replace'))
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as r:

Tainted flow: 'curl_cmd' from os.environ.get (line 231, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 使用curl测试连接
        curl_cmd = ['curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', '-I', f'{base_url}/system/status', '--connect-timeout', '10']
        
        result = subprocess.run(
            curl_cmd,
            capture_output=True,
            text=True,
Confidence
91% confidence
Finding
result = subprocess.run( curl_cmd, capture_output=True, text=True, timeout=15 )

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `raw` command allows callers to issue arbitrary HTTP methods and paths against the configured MeterSphere base URL, bypassing the intended higher-level resource restrictions described by the skill. In an agent context, this materially expands capability scope and can enable unauthorized modification, data access, or destructive API actions if the agent is induced to use it.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script exposes a generic `raw` mode that allows arbitrary HTTP methods and paths against the configured MeterSphere instance, bypassing the curated resource/action restrictions described by the skill. In an agent setting, this materially expands capability scope and could be abused to access, modify, or delete data on endpoints not intended by the manifest.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The script automatically sources a local `.env` file, which gives the skill file-access-based secret ingestion not evident from the high-level description. In an agent context, implicit local secret loading increases the chance of unintended credential use and makes behavior less transparent to the user.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The functional case path writes request contents to a temporary file on disk before upload, which can leak potentially sensitive test data to local storage. This is riskier in an agent skill because payloads may contain internal API definitions, identifiers, or business data, and the temp file cleanup is not protected by a finally block if execution fails early.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
When required IDs are absent, the script silently injects hardcoded templateId and versionId values tied to a specific project. This can cause unintended creation or modification of assets in the wrong project/tenant, resulting in cross-project data contamination and potentially unauthorized writes in a multi-project environment.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The script accepts arbitrary HTTP(S) URLs and fetches them with urllib.request.urlopen, which can cause server-side request forgery if an agent or automation service runs it with attacker-controlled input. In this skill context, the script is designed to ingest remote requirement/OpenAPI documents, so the behavior is intentional, but it still expands the trust boundary and may allow access to internal services, metadata endpoints, or unapproved external hosts.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script prints prefixes of sensitive environment variables such as access and secret keys during verification output. Even partial credential disclosure can aid secret recovery, correlation across logs, or leakage into CI logs and shared terminals.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage field lists a wide set of natural-language triggers such as MeterSphere, test cases, review records, and bulk asset writes without clear scope boundaries, confirmation requirements, or safe-read/write separation. In an agent setting, this can cause the skill to activate too broadly and perform sensitive read or write operations against a live MeterSphere instance when a user only intended discussion or limited querying.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal