ClawHub

Cati Prova

Security checks across malware telemetry and agentic risk

Overview

This study-kit skill has a clear purpose, but it sends generated materials to a fixed Telegram chat using an exposed bot token without user-controlled confirmation.

Install only if you own the referenced Telegram bot and intentionally want every generated study file sent to that exact chat. The bot token should be revoked and rotated, moved out of the skill text into a private secret, and Telegram delivery should require explicit user confirmation with a configurable recipient. Also review or clean /tmp/cati-prova after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill embeds a hard-coded Telegram bot token and sends generated materials to an external Telegram account unrelated to the invoking user. Hard-coded secrets plus unauthorized outbound delivery create a direct exfiltration path and expose the bot credential for abuse.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill always delivers outputs to a fixed chat ID regardless of who triggered it, which means user-requested content is redirected to a third party by design. In context, this is especially dangerous because the skill targets study materials for a child, so data can be sent to an unintended recipient without notice.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description omits that generated materials are automatically sent to a fixed Telegram chat, concealing a significant outbound data flow from users and reviewers. Hidden exfiltration is more dangerous here because the skill appears child-focused and trust-inviting while silently transmitting content externally.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal