ClawHub

Today Task For Xiaoyi Claw

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised task-pushing job, but it handles local credentials and outbound task data with enough disclosure and control problems that users should review it carefully before installing.

Install only if you intend to send task results and related metadata to the hardcoded Huawei Xiaoyi endpoint. Do not include sensitive personal, business, or secret data in task content. Protect or avoid the plaintext .xiaoyienv credential file, and assume console output, verbose logs, and local records may expose sensitive information until the credential-printing and documentation inconsistencies are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities to read local files, write local records, and send network requests, but it does not declare corresponding permissions. That creates a transparency and consent failure: users and hosting systems cannot accurately evaluate what the skill will access before use. In this context the risk is heightened because the undocumented capabilities include reading local credential files and transmitting data to a remote endpoint.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond a simple task-result pusher by reading a local credential file, extracting PERSONAL-API-KEY and PERSONAL-UID, using them for remote authentication, and persisting responses locally. Even though some of this is mentioned later, the overall description understates the sensitivity of the behavior and may mislead users about credential handling and data exfiltration risk. The skill context makes this more dangerous because it processes arbitrary task content, which may include sensitive user data, then transmits it alongside user-linked identifiers.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The security documentation gives contradictory statements about endpoint control, claiming both that the service endpoint is hardcoded and that users can configure a custom endpoint. This is a true security documentation integrity issue because it can mislead users about where task data and local credentials will be sent, undermining informed consent and safe deployment decisions.

Intent-Code Divergence

Low
Confidence
94% confidence
Finding
The permissions section describes network access as being used for a configurable endpoint, while other parts of the same file state the code always sends data to a fixed Huawei endpoint. This inconsistency can cause operators to misunderstand the external exposure of task results and authentication material, though the issue is primarily documentation-driven rather than direct code execution risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation contradicts itself on whether authentication comes from a local credential file or is obtained automatically from the cloud. Contradictory security documentation can cause users to mis-handle credentials, wrongly assume no secrets are being accessed locally, or fail to protect sensitive files. Because this skill uses authentication to contact a remote service, ambiguity around secret sourcing materially increases operational and privacy risk.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill claims both that the push URL is hardcoded and that users can configure a custom endpoint. This inconsistency is security-relevant because it affects trust boundaries: users cannot tell where their data will actually go or whether they can constrain transmission to an approved destination. In a data-pushing skill, uncertainty about the true endpoint directly impacts privacy and compliance expectations.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The security guide advertises modes such as dry-run, validate-only, or verbose options that are not supported elsewhere in the documentation. This is a security issue because users may rely on nonexistent safe-testing controls and accidentally perform real network transmissions while believing they are only validating input. The danger is somewhat limited because this is documentation-level, but it still undermines informed consent and safe operation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The client reads credentials from a fixed local file (/home/sandbox/.openclaw/.xiaoyienv), injects them into outbound headers, and also mutates the payload with the user ID. This creates an implicit secret-handling and exfiltration capability beyond a simple task-result pusher, and the hardcoded path plus automatic use of credentials increases the chance of unauthorized transmission or misuse in multi-skill environments.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The test block states that it does not actually send a request, but the code path calls push(), which performs a real network POST. Misleading test behavior is dangerous because developers or reviewers may run it believing it is harmless, causing unintended external transmission of data or use of live credentials.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger definition includes an open-ended catch-all condition for essentially any scenario where a task result might be pushed. Overly broad triggers can cause the skill to activate in contexts the user did not specifically intend, increasing the chance that unrelated or sensitive task output is sent to the remote endpoint. Given that this skill performs network transmission and local persistence, accidental activation is more dangerous than for a purely local utility.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The repeated ambiguous trigger conditions reinforce a broad activation surface, making unintended invocation more likely. When combined with credential use and outbound transmission, ambiguous activation increases the probability of accidental data disclosure rather than merely causing UX issues. The skill context therefore elevates this from a simple quality problem to a real security concern.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code prints PERSONAL-API-KEY and PERSONAL-UID values directly to stdout when present. Secrets exposed in console output can be captured by logs, CI systems, terminal history, or other processes, leading to credential theft and unauthorized API use.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The module writes push-task summary fields derived from push_data and error responses into persistent log files, including task summary text and a partially masked auth code. In a task-result pusher, these fields may contain sensitive business data, identifiers, or secrets, so file logging can create unintended data retention and disclosure risk if logs are accessed or collected centrally.

Session Persistence

Medium
Category
Rogue Agent
Content
**Linux/Mac**:
```bash
mkdir -p ~/.openclaw
echo "PERSONAL-API-KEY=your_api_key_here" > ~/.openclaw/.xiaoyienv
echo "PERSONAL-UID=your_uid_here" >> ~/.openclaw/.xiaoyienv
```
Confidence
87% confidence
Finding
mkdir -p ~/.openclaw echo "PERSONAL-API-KEY=your_api_key_here" > ~/.openclaw/.xiaoyienv echo "PERSONAL-UID=your_uid_here" >> ~/.openclaw

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 任务推送器依赖
# 这些是标准的、广泛使用的Python库

requests>=2.25.1
# 用于HTTP请求,仅向用户配置的URL发送数据

# 注意:本技能仅使用requests库进行网络通信
Confidence
91% confidence
Finding
requests>=2.25.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal