Back to skill

Security audit

push-task-to-negative-screen

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its task-pushing purpose, but it handles account credentials and external data transfer in ways the documentation does not clearly or consistently disclose.

Install only if you trust the fixed Huawei endpoint and the local environment where stdout and logs may be captured. Do not push sensitive task content, and treat the current credential handling as needing review or patching before use in a shared, CI, or production environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities including file read/write, network access, and shell execution, but does not declare corresponding permissions. This creates a transparency and consent gap: users may invoke a skill that can access local files, store records, contact remote services, and run commands without an explicit permission model, increasing the risk of unnoticed data access or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior exceeds the stated purpose of a simple task-result pusher by also reading authentication material from local files, inspecting global configuration, writing logs/records, and invoking a shell command for remote update checks. This mismatch is dangerous because users may disclose sensitive task data or permit local access under a narrower trust assumption than the skill actually requires.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The security text claims that all network requests go only to a user-configured URL, while elsewhere the document states the push URL is hardcoded and identifies a default Huawei Cloud endpoint. Contradictory security disclosures undermine informed consent and can mislead users about where their task content is being sent.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document simultaneously states that cloud-side authentication is automatic and that missing required authentication configuration will break the skill. This inconsistency can cause users to misunderstand credential handling and may lead them to expose or troubleshoot sensitive authentication data unnecessarily.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims users have full control via custom endpoints, but other sections state the push URL is hardcoded and requires no configuration. This is a material transparency failure because it misrepresents user control over data egress and could cause sensitive content to be sent to an unexpected third-party service.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Automatic network-based update checking introduces external communication unrelated to the core task of pushing results, which expands the attack surface and can enable tracking, unexpected data egress, or future abuse if the remote endpoint or update logic is compromised. The skill context makes this more concerning because the declared purpose does not clearly justify background network activity, so users and reviewers may not expect it.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads sensitive credentials from a fixed local path and automatically injects them into every outbound request to a hard-coded remote endpoint. For a skill described as a generic task-result pusher, silently harvesting a personal API key and UID from the host environment exceeds the minimum needed capability and creates a clear risk of unauthorized credential use and user-data exfiltration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The fallback configuration logic reads a global OpenClaw config file from the user's home directory and extracts auth-related data unrelated to the explicit task payload. This expands the skill's privilege and data access beyond its declared role as a task-result pusher, creating unnecessary exposure of sensitive local configuration and enabling unintended credential use if the skill is run in a broader environment.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code saves full push responses to local JSON files under push_records, which exceeds the stated behavior of only pushing task results and may persist potentially sensitive task metadata or service responses on disk. In an agent skill context, silent local persistence increases data exposure risk because users may not expect task content, identifiers, or backend responses to be retained after transmission.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This script performs external update inspection and process execution even though the skill is described as a generic task-result pusher. Capability expansion beyond the declared purpose is dangerous because it increases attack surface, creates undisclosed outbound behavior, and can surprise operators who would not expect update telemetry or shell invocation from this type of skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
For a result-push skill, adding external update checks via a spawned subprocess lacks clear business justification and broadens privilege and execution pathways unnecessarily. Even if not immediately exploitable, unnecessary subprocess/network capability is a security smell because future changes or compromised dependencies could turn it into a more serious issue.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger includes broad natural-language conditions for any scenario where a task result might be pushed, which increases the chance of unintended activation. In this skill's context, accidental invocation can cause user-provided task content and metadata to be transmitted externally without deliberate intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The documentation repeats an ambiguous catch-all activation condition covering essentially any post-task push scenario. Because this skill performs outbound transmission and local recording, overbroad invocation materially raises the risk of unintentional data disclosure or unnecessary network actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code prints whether sensitive keys exist and, when present, prints their full values directly to stdout. API keys and user identifiers exposed in logs or console output can be harvested by other local users, log collectors, CI systems, or support tooling, enabling unauthorized use of the associated account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function transmits user data together with personal credentials and identifiers to a hard-coded external service without any operation-point disclosure, confirmation, or destination control. In this skill context, that is more dangerous because the advertised purpose is generic result pushing, not privileged credential-backed export of host identity and task contents to a fixed remote server.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The push() method transmits task data to an external Hiboards service without any user-facing consent, disclosure, or classification of what content leaves the local environment. Because task_content and related metadata may contain sensitive operational or personal information, silent network exfiltration to a third party is a real privacy and security risk in this skill context.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The code writes push responses to disk without explicit disclosure, creating an unexpected local audit trail that may contain task identifiers, timestamps, content-derived metadata, or backend response details. While lower impact than network transmission, undisclosed persistence still broadens the attack surface through local file access, backups, and forensic recovery.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs collection and transmission of task content and metadata to a remote endpoint, including a hardcoded default destination. This is sensitive-data egress by design; in a task-pushing skill it may be functional, but it remains dangerous if users are not given clear, specific consent and controls because task content can contain confidential information.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documentation states that user data will be sent to a push endpoint and identifies a default remote service destination. Even though outbound transmission is the core function, this still represents a real privacy/security risk because the payload includes task content and metadata, and the destination is externally hosted.

Ssd 3

Medium
Confidence
90% confidence
Finding
The normal workflow includes collecting task results and pushing them to an external system. In context this is expected behavior, but it is still a true risk surface because the workflow operationalizes routine exfiltration of user content, making accidental or excessive sharing possible if triggering and consent are weak.

Ssd 3

Medium
Confidence
89% confidence
Finding
The security guide itself describes a data path from user input through processing to an external endpoint. This is not hidden behavior, but it is still security-relevant because it confirms systematic outbound transfer of potentially sensitive task content and should therefore be treated as a real data-exposure risk requiring strong consent and minimization controls.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.