ClawHub

aim-blog-write

Security checks across malware telemetry and agentic risk

Overview

The skill is a real SEO blog generator, but it handles API secrets and remote network/file operations in ways users should review before installing.

Install only if you trust the publisher and are comfortable sending blog topics, industry/language fields, and an aim-secret-key to the configured AEP service. Use a dedicated low-privilege key, avoid sharing production credentials in chat, independently verify the service URLs, and delete .env, raw.json, and downloaded images when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes shell execution, network access, and local file writes, but no explicit permission declaration is present. That creates a transparency and consent problem: an agent could perform sensitive operations without the user or platform having a clear, enforceable permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The public description frames this as a simple routing rule for blog-writing requests, but the body instructs the agent to collect credentials, call a remote service, download remote content, and write multiple local files. This mismatch can mislead operators and users about the skill’s actual trust and attack surface, increasing the chance of unsafe invocation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims it does not touch internal storage, yet it explicitly instructs writing a secret into `.env` and saving generated `.docx`, images, and `raw.json` locally. This is misleading data-handling documentation that can cause users to disclose secrets or permit storage they did not expect.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script downloads arbitrary image URLs returned by seo_agent output without restricting hostnames, schemes, redirect behavior, or response size. If an attacker can influence image URLs, this can be used for server-side request forgery to access internal network resources, or for resource exhaustion by fetching very large responses.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The helper constructs a destination from environment-controlled AEP_BASE_URL plus an arbitrary caller-supplied path and sends authenticated POST requests with a shared secret. This creates an overly broad remote invocation primitive that could be abused by other scripts in the skill to reach unintended internal or external endpoints, especially if environment variables or path inputs are not tightly controlled.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script introduces secret bootstrap and AEP service configuration logic that is unrelated to the skill’s declared purpose of routing blog-writing requests to an SEO agent. That mismatch increases the risk of hidden credential collection or unintended privileged behavior, especially because users would not expect a blog skill to manage secrets or external service access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code loads a secret from a local .env and exports it for downstream use, enabling authenticated access to an external AEP service without any clear connection to the stated blog-generation delegation purpose. In this context, credential handling is an over-privileged capability that broadens the attack surface and can facilitate misuse of user-provided secrets.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to catch ordinary writing requests, causing the skill to activate in situations where the user may only want simple text generation. In this skill’s context, unintended activation is more dangerous because activation leads to credential collection, remote calls, and local file writes rather than harmless formatting assistance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the user to paste a secret key into chat and then directs the agent to write it into a local `.env` file, without a clear warning about persistence, exposure in conversation logs, or access controls. Credentials shared in chat are often retained in transcripts and may be visible to systems or personnel beyond the immediate task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads a secret from disk and exports it into the process environment with no user-facing notice, consent, or audit signal. Exporting secrets increases exposure to child processes, debugging tools, and accidental leakage, which is especially risky in a skill whose declared purpose does not justify credential manipulation.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The script instructs the user to paste their secret key to the agent so the agent can write it into the skill’s .env file. This is a direct credential-harvesting pattern: it normalizes sharing sensitive secrets with the agent, which is unnecessary and dangerous because the agent or surrounding system may log, retain, or misuse the credential.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied blog parameters to a backend endpoint via run_skill_sync without any disclosure, consent step, or indication of what external service will receive the data. In a content-generation skill this may expose user-provided business context, themes, or other potentially sensitive inputs to a remote service unexpectedly, creating a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script forwards uuid, sessionId, and userId from input directly to the backend, defaulting to fixed identifiers when absent, without warning the user or validating necessity. These identifiers can link requests to a user or session and increase privacy exposure, especially when combined with the content fields sent to the remote service.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow explicitly asks the user to paste a secret into the conversation and then persists it to `.env`. This is a strong secret-handling anti-pattern because it exposes credentials to chat logs, agent processing layers, and local disk persistence, any of which could lead to credential theft or reuse.

Ssd 3

High
Confidence
99% confidence
Finding
This repeated instruction reinforces the same unsafe pattern of collecting the user’s key via chat and writing it into `.env`. Repetition increases the likelihood the behavior is followed operationally, making accidental credential disclosure more probable.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal