ClawHub

番茄小说自动发布

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Fanqie chapter-publishing purpose, but it controls a logged-in author account while saving cookies and using under-disclosed automation-evasion browser settings.

Install only if you intentionally want browser automation to operate a Fanqie writer account. Use draft mode first, verify the selected work and chapter files before publishing, protect or delete fanqie_cookies.json after use, and consider removing the stealth flags and --no-sandbox before running it on a normal machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif system == "Windows":
                # Windows 使用 clip 命令,需要 utf-16le 编码
                proc = subprocess.Popen(['clip'], stdin=subprocess.PIPE, shell=True)
                proc.communicate(text.encode('utf-16le'))
                return True
Confidence
98% confidence
Finding
proc = subprocess.Popen(['clip'], stdin=subprocess.PIPE, shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that read local chapter files, invoke shell commands for setup and execution, and automate login/publishing over the network, but it declares no permissions. This creates a transparency and governance gap: users or orchestrators may invoke a skill with broader access than expected, increasing the risk of unintended file access, credential/session misuse, or external publishing actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code injects a script that overrides `navigator.webdriver` to hide that the browser is automated. For a chapter-publishing skill, this is not required for core functionality and is a classic anti-detection technique that can be repurposed to bypass platform bot controls or terms-of-service protections.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Launching Chromium with `--disable-blink-features=AutomationControlled` and `--disable-infobars` is intended to reduce automation detectability rather than enable publishing. In this skill context, those flags increase the tool's ability to impersonate a normal user session and evade website defenses, which makes misuse easier.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists login cookies to local storage and later reloads them to restore an authenticated session, but it does not provide any explicit user warning, consent flow, or visible protection details for that sensitive authentication material. If the cookie file is readable by other local users, copied from disk, or stored insecurely, an attacker may be able to hijack the author's writer account without needing the original QR login.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal