ClawHub

Gr Geo Cite

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with GEO citation auditing, but it under-discloses external AI/provider behavior and credential handling enough that users should review it before installing.

Install only if you are comfortable with the skill making outbound calls to AI providers and GitHub using your environment credentials. Review or remove the DeepSeek branch unless you explicitly want it, use narrowly scoped API keys, avoid running the URL scorer on internal/private addresses, and treat generated reports or llms.txt output as review-before-publish material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tainted flow: 'req' from os.environ.get (line 111, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(url, data=payload,
                                 headers={"Content-Type": "application/json"})
    try:
        with urllib.request.urlopen(req, timeout=60) as r:
            d = json.loads(r.read())
        return d["candidates"][0]["content"]["parts"][0]["text"]
    except Exception as e:
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as r:

Tainted flow: 'req' from os.environ.get (line 111, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(url, data=payload,
                                 headers={"Content-Type": "application/json"})
    try:
        with urllib.request.urlopen(req, timeout=60) as r:
            d = json.loads(r.read())
        return d["candidates"][0]["content"]["parts"][0]["text"]
    except Exception as e:
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as r:

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it tracks 4 fixed AIs, but the code also queries DeepSeek whenever a key is present. That mismatch causes undisclosed transmission of prompts and related metadata to an additional provider, which is a security and privacy concern because operators may not realize a fifth external service is being contacted.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The DeepSeek function claims it is only a fallback when no other AI key is available, but main() invokes it unconditionally whenever a DeepSeek key exists. This deceptive or inaccurate behavior increases the risk of unintended external data sharing and undermines operator trust, especially in an agent skill that may run unattended.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata says it checks four AI systems, but the code also queries DeepSeek as a fallback. This mismatch increases privacy and supply-chain risk because operators may not realize prompts and metadata can be sent to an additional third party outside the declared trust boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes external AI queries, response parsing, and local report/file generation without an explicit warning that user inputs, queries, URLs, or content may be transmitted to third-party APIs and written to local artifacts. Lack of disclosure can expose sensitive business data or unpublished content during routine use, especially in an agent workflow where users may assume analysis is local.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs use of multiple environment-variable credentials but does not warn users about secret handling, provider exposure, or least-privilege considerations. While documentation alone is not secret exfiltration, normalizing credential use without safeguards increases the chance of overbroad token provisioning, accidental leakage in logs, or unauthorized API usage.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is broad enough to activate on ordinary SEO/content requests such as 'llms.txt', 'AI引用', or 'GEO优化', which can cause the agent to invoke this skill outside a narrowly intended context. Over-broad activation increases the chance of unintended workflow execution, including API-based audits and content modification guidance, reducing user-intent fidelity and creating prompt-routing risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Gemini request places the API key directly in the URL, which can leak through logs, monitoring systems, exception traces, and intermediary infrastructure. In a scheduled automation context, such leakage may persist unnoticed for long periods, increasing the chance of credential compromise.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script accepts an arbitrary URL and performs an outbound HTTP request without any confirmation, disclosure, or restriction. In an agent/skill context, this can be abused to trigger unexpected network access, including requests to attacker-controlled hosts or internal services, creating SSRF-like risk, privacy leakage, and surprising external side effects.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Gemini key is placed in the URL, which can expose the credential through logs, tracing, metrics, and intermediary systems even when HTTPS is used. The lack of warning or disclosure compounds the issue because operators may not understand that this provider integration handles the secret less safely than the others.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends prompts to multiple external AI providers, but there is no explicit privacy notice, consent check, or guardrail limiting sensitive content. In this skill context the queries are currently fixed and low sensitivity, which reduces severity, but the behavior still expands data exposure to several third parties.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal