ClawHub

Bian16 Wallpaper Downloader

Security checks across malware telemetry and agentic risk

Overview

This is a real wallpaper-downloader skill, but it asks users to handle login cookies and includes limited CAPTCHA/slider automation guidance that needs review before use.

Review before installing. Use only with an account and downloads you are authorized to access, treat copied cookies like passwords, avoid command history/log exposure, keep CAPTCHA or slider completion manual, respect the site's rate limits and terms, and run cleanup only in a controlled wallpaper directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs extracting authentication cookies (`RcGFvmluserid`, `RcGFvmlauth`, `RcGFvmlusername`) and passing them into a download script, but it provides no explicit warning that these are sensitive credentials or guidance to avoid logging, storing, or exposing them. Session cookies can be reused to impersonate the user on the target site, so careless handling could lead to account/session compromise.

Ssd 4

Medium
Confidence
89% confidence
Finding
This section documents a workflow that progresses from normal login to assisting with CAPTCHA/slider completion and explicitly allows a visual-AI/browser-automation attempt to get past the challenge. Even with limits and fallback to manual handling, this normalizes defeating an access-control mechanism designed to distinguish legitimate human access, which can facilitate unauthorized scraping or abuse of the target site's protections.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal