ClawHub

Gaoding Design

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Gaoding design automation tool, but it needs careful handling because it uses a real Gaoding account and stores login state locally.

Install only on a trusted machine. Use a dedicated Gaoding account if possible, protect the .env file and cookies.json, do not commit or share them, and periodically delete stored cookies and exported files when you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a design automation tool, but its documented behavior includes reading local credentials, performing automated login, and persisting authentication cookies for reuse. That expands the trust boundary significantly: compromise of local state or misuse of the skill could expose account access well beyond simple template search/edit actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code loads GAODING_USERNAME and GAODING_PASSWORD from a local .env file and uses them to perform automated login, which is a credential-handling capability not disclosed by the stated design-tool description. Even if intended for convenience, silently consuming local credentials expands the skill's privilege and can surprise users by using account secrets and initiating authenticated actions without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill persists browser cookies under the user's home directory, creating local authenticated session storage beyond the manifest's stated design operations. Stored session cookies may allow later reuse of an authenticated account by other local processes or users with filesystem access, especially because no encryption or restrictive permission handling is applied.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to place account credentials in a local `.env` file and supports exporting files, but it does not clearly warn users that credentials will be consumed by browser automation or that local artifacts may be created and retained. This increases the risk of accidental credential exposure, unsafe workstation storage, and unintended persistence of exported sensitive designs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to place their Gaoding username and password in a local .env file, but provides no guidance on secure handling such as file permissions, excluding the file from version control, or using a secret manager. While this is common developer practice, it still increases the risk of credential exposure through accidental commits, backups, shared machines, or local compromise.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation says OpenClaw will automatically call the search script and later states the skill will automatically re-login when cookies expire, but it does not clearly disclose that stored credentials may be used for automated browser login and network actions. This lack of transparency can lead users to provide credentials without understanding the automation scope, increasing the chance of unintended account activity or misuse if the skill is modified or compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code writes authentication cookies directly to disk in JSON without any user-facing warning or consent flow. This is dangerous because users may not realize session state is being retained across runs, and plaintext cookie files can be copied or reused to impersonate the logged-in session if local access is obtained.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal