ClawHub

Noodle Create Writing

Security checks across malware telemetry and agentic risk

Overview

This writing skill is mostly coherent, but it can pass user-provided article topics into a shell command during search, which makes it risky to run with untrusted input.

Review before installing. Do not run this skill with untrusted topics or keywords until the search command is rewritten to use safe argument passing or a direct API call. If you proceed, use a constrained workspace, set the Tavily API key intentionally, avoid confidential prompts, inspect generated posts before publishing, and delete raw output data you do not want retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill clearly states it uses the Tavily API to search based on user-supplied topics and keywords, but it does not warn users that their prompts will be transmitted to a third-party service. This creates a privacy and data-handling risk because users may provide sensitive business ideas, unpublished content plans, or personal information under the assumption the processing is local.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes raw search results and extracted data to a JSON file on disk by default, which can persist potentially sensitive or copyrighted source material, query terms, and derived data without an explicit warning or opt-in. In an agent/skill context, automatic persistence increases the chance of unintended disclosure through shared workspaces, backups, logs, or later processing by other tools.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The command is built as a single shell string and includes untrusted query text derived from user-controlled topic/keywords. Because execSync invokes a shell, crafted input containing shell metacharacters or quotes can break out of the intended argument context and execute arbitrary commands on the host.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "飞云儿",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.6.0",
    "cheerio": "^1.0.0",
    "marked": "^12.0.0",
    "yargs": "^17.7.0"
Confidence
84% confidence
Finding
"axios": "^1.6.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "axios": "^1.6.0",
    "cheerio": "^1.0.0",
    "marked": "^12.0.0",
    "yargs": "^17.7.0"
  },
Confidence
80% confidence
Finding
"cheerio": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "axios": "^1.6.0",
    "cheerio": "^1.0.0",
    "marked": "^12.0.0",
    "yargs": "^17.7.0"
  },
  "devDependencies": {
Confidence
80% confidence
Finding
"marked": "^12.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"axios": "^1.6.0",
    "cheerio": "^1.0.0",
    "marked": "^12.0.0",
    "yargs": "^17.7.0"
  },
  "devDependencies": {
    "@types/node": "^20.0.0"
Confidence
76% confidence
Finding
"yargs": "^17.7.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.6.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal