ClawHub

Gaoding Template Recommend

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because a search-focused skill also stores account sessions and includes wired template edit/export actions.

Install only if you are comfortable giving the skill access to a Gaoding account and letting it save reusable login cookies and generated files locally. Use a dedicated or low-privilege account, protect the .env file, clear saved cookies when done, and treat edit/export actions as account-affecting operations rather than simple search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README markets the skill as a template search/recommendation tool, but the documented project structure includes editing and export modules that materially expand its capabilities. This mismatch increases the risk of deceptive scope, over-privileged deployment, or unsafe downstream agent use because operators may grant credentials and browser access expecting read-only behavior while the skill can modify or extract user content.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Documenting edit and export capabilities in a skill whose stated purpose is only search/recommendation suggests unnecessary functionality beyond user expectations. In an agent setting, this can enable unauthorized content modification or data exfiltration through exported designs, especially because the skill uses authenticated browser automation against a user account.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This module performs credential loading, automated login, and long-lived session persistence even though the skill is presented as a template search/recommendation tool. That mismatch increases risk because users and operators may not expect the skill to access local secrets and maintain authenticated sessions, creating unnecessary exposure of account access if the skill is invoked in broader contexts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads credentials from a local hidden .env file and uses them to automate login, giving the skill access to stored account secrets beyond its stated template recommendation purpose. In an agent environment, this is dangerous because any unnecessary credential access expands the blast radius if the skill is misused, compromised, or invoked unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The module persists authenticated session cookies to disk for later reuse, enabling silent restoration of account access. Storing reusable session material on the local filesystem without stronger protections increases the chance of account compromise if the host, user profile, or skill storage directory is accessed by another process or user.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The function automates exporting the currently open design and saves the downloaded file to a fixed directory under the user's home folder. That behavior materially exceeds the declared scope of a skill intended only for searching/recommending templates, creating an undeclared data egress-to-disk capability that could save user content without clear consent or expectation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This code waits for a browser download event and writes the resulting content to local disk, despite the skill description only covering template search/recommendation. In context, the mismatch between advertised purpose and implemented capability makes the behavior more dangerous because it can silently persist user-generated or remote content outside the expected trust boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The implemented behavior exceeds the declared skill scope: beyond searching/recommending templates, it can modify remote templates and export finished files. This matters because users, reviewers, and policy controls may authorize a lower-risk read-only/search skill while the code performs state-changing actions and file creation, creating a capability-mismatch and consent problem.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to place account credentials in a local `.env` file but provides no warning about protecting that file, avoiding commits, restricting permissions, or using safer secret storage. This can lead to credential leakage through source control, backups, logs, or multi-user systems, especially since the credentials grant access to a real third-party account.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill omits a clear warning that using it will transmit credentials/session data to `gaoding.com`, persist or reuse login cookies, and write a screenshot file locally. In an authenticated browser automation context, lack of transparency about data flows and local artifact creation can expose sensitive account data or design content without informed user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document tells users to directly edit and overwrite `sessions.json` to remove `skillsSnapshot`, but it does not instruct them to back up the file, stop the relevant service first, or validate the JSON before writing it back. This creates a real operational security/integrity risk: a malformed or partially written session state file can corrupt agent state, break sessions, or cause loss of conversation/session metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting steps instruct users to read `~/.openclaw/credentials/feishu-pairing.json` and manually add an `open_id` to `channels.feishu.allowFrom`, but they do so without warning that this is sensitive identity/authorization data. Misuse or overbroad configuration can weaken channel access controls, expose private identifiers, or allow unintended senders to bypass the normal pairing/approval workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill saves authentication cookies to disk without any visible user disclosure or consent mechanism. For a seemingly simple template recommendation skill, undisclosed storage of reusable session tokens is risky because users may not realize the skill is keeping them logged in across runs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill automatically submits stored credentials and reuses saved authentication state without explicit warning or user action. This is dangerous because it can cause unintended account access and data exposure under the guise of a low-risk recommendation feature, especially in automated agent workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code saves downloaded content directly to a deterministic path using the suggested filename, with no visible user disclosure, confirmation, or safety checks. This can lead to silent persistence of files on the local machine, surprising users and increasing the risk of unwanted storage of sensitive design data or unreviewed downloaded content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill restores persisted browser cookies without any disclosure or consent flow, meaning authenticated session state may silently carry across runs. This can surprise users, expand the blast radius of account compromise, and enable actions under a previously saved login without the user understanding that the agent is reusing stored credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill saves browser cookies after performing actions, persisting authenticated session data without any visible warning. Persisted session material is sensitive because it may be reused later to access or modify remote resources, especially in an automation context where actions can be triggered indirectly from future messages.

Credential Access

High
Category
Privilege Escalation
Content
}
}

/** 加载 .env 中的稿定账号凭证 */
function loadCredentials(): { username: string; password: string } | null {
    const skillDir = path.join(os.homedir(), '.openclaw', 'skills', 'gaoding-template-recommend');
    const envPath = path.join(skillDir, '.env');
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
/** 加载 .env 中的稿定账号凭证 */
function loadCredentials(): { username: string; password: string } | null {
    const skillDir = path.join(os.homedir(), '.openclaw', 'skills', 'gaoding-template-recommend');
    const envPath = path.join(skillDir, '.env');
    if (fs.existsSync(envPath)) {
        process.loadEnvFile(envPath);
    }
Confidence
96% confidence
Finding
.env'

Known Vulnerable Dependency: playwright==1.50.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
98% confidence
Finding
playwright==1.50.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal