ClawHub

搬题姬

Security checks across malware telemetry and agentic risk

Overview

The skill fits its OJ problem-import purpose, but it can automatically delete local work folders and compile/run generated C++ code without strong scoping or confirmation.

Install only if you are comfortable running it in a disposable or isolated workspace. Expect it to browse problem pages, create work_* directories, write problem/test files, compile and run C++ code, delete prior generated files, and create zip archives. Avoid running it in a directory containing important unrelated files unless you first review the target paths and commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code invokes shell commands to compile and execute a local binary (`g++ std.cpp ...` and `./std < ... > ...`) via `system()`. In a skill that imports problems and generates test data, compiling and running bundled code may be functionally related, but doing so through unrestricted shell execution greatly expands the attack surface: a malicious or tampered `std.cpp`, environment, or working directory contents could trigger arbitrary command execution on the host.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code compiles and executes `std.cpp` via `system()`, which goes beyond passive test-data packaging and introduces arbitrary code execution from workspace files. In this skill context, imported problem packages may contain untrusted `std.cpp`, so running it can execute attacker-controlled code on the host.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The program compiles and executes a local C++ source file via shell commands, which expands the skill's capability from simple problem import/test-data generation into arbitrary local code execution. In this context that may be functionally convenient, but it is still dangerous because any untrusted or tampered std.cpp will be executed with the user's privileges.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code invokes `rm -rf testdata/*.in testdata/*.out testdata/*.zip` through a shell, causing destructive deletion without validating the path or constraining execution to a safe directory. In a skill that is supposed to import problems or generate test data, automatic file deletion increases risk because a misconfigured working directory, shell expansion issue, or future path changes could remove unintended files.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This generator does more than create test inputs: it compiles and executes a local program (`std.cpp`) and then runs the produced binary over generated inputs. In an agent skill whose purpose is importing problems and generating data, executing local code materially expands capability and risk, because any untrusted or tampered `std.cpp` can run arbitrary commands with the user's permissions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill name/description and trigger design are broad enough that common user phrases like '搬运' or platform names may activate the skill outside a clearly consented import workflow. This can cause unintended browser access, local file reads/writes, directory copying, and archive creation when the user may only be asking a general question about OJ problems.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest keyword list contains ambiguous triggers such as '搬一下', 'AtCoder', and 'Codeforces' that are likely to appear in harmless discussion, not just in explicit requests to run the workflow. In this skill, unintended activation is more dangerous because the workflow authorizes BrowserUse plus filesystem modification and ZIP creation, increasing the chance of side effects from a misfire.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow performs substantial side-effecting operations—copying a template directory, creating work directories, writing source/data/config files, and producing ZIP archives—but the user-facing description does not clearly disclose those actions. Lack of upfront notice undermines informed consent and makes accidental or surprising local workspace modification more likely when combined with broad triggers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes unconditional `rm -rf` deletion of working directories without confirmation, validation, or safety checks. In an agent context, destructive filesystem operations are risky because variables like `{PID}` may be malformed, unexpected, or manipulated, leading to accidental deletion of unintended paths or loss of user data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to rename the local working directory with `mv work work_{PID}` as a mandatory step, but provides no warning, confirmation step, or safety constraints around modifying the filesystem. In an agent setting, automatic directory mutation can break subsequent steps, clobber expected paths, or produce unintended side effects if `{PID}` is malformed, attacker-influenced, or collides with an existing path.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The step explicitly instructs deletion of files via `rm -f` before packaging, but provides no guardrails, confirmation, or validation that `{WORK_DIR}` is safe and correctly set. In an agent context, a malformed, empty, or attacker-influenced `{WORK_DIR}` could cause unintended deletion of files outside the intended workspace, making this operationally dangerous even though the apparent goal is cleanup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs `rm -rf work_{PID}` before recreating the working directory, which is a destructive filesystem operation without safety checks, confirmation, or constraints on the resolved path. If `PID` is empty, malformed, or influenced unexpectedly, this can delete unintended directories and cause irreversible data loss in the agent workspace.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code deletes files with `rm -rf testdata/*.in testdata/*.out testdata/*.zip` without any confirmation or safety checks. Even though the path is scoped to `testdata`, destructive shell deletion can remove user data unexpectedly and becomes riskier if run from an unintended working directory or with symlink/path manipulation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The program invokes shell commands for compilation and output generation without prior disclosure, causing side effects beyond simple file generation. In an agent skill that processes external problem content, this can surprise users and execute untrusted code through `g++ std.cpp -o std` and `./std < ... > ...`.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code deletes files with rm -rf before confirming scope or obtaining explicit user approval. Even though the target is limited to testdata/*.in, *.out, and *.zip, destructive shell deletion can remove prior user artifacts unexpectedly and becomes riskier if the working directory or path assumptions are wrong.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The generator silently performs destructive cleanup of existing `.in`, `.out`, and `.zip` files without warning or confirmation. Even if intended as routine housekeeping, undisclosed deletion can destroy user data in the working directory and is especially risky in an agent skill context where users may not expect filesystem-destructive side effects.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The program compiles and executes `std.cpp` and then runs `./std` over each generated input, but this subprocess behavior is not surfaced to the user. In this skill context, undisclosed execution of local code is more dangerous because users may believe they are only generating/importing problem files, while the tool is actually invoking a compiler and executing binaries on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal