ClawHub
Back to skill

Security audit

Gxpcode Tu Xingsun

Security checks across malware telemetry and agentic risk

Overview

The skill’s regulatory tracking purpose is coherent, but it includes under-scoped source/config mutation paths that users should review before installing.

Install only if you are comfortable with a skill that installs Python/browser dependencies, contacts external regulatory websites, downloads PDFs, writes reports/history, and can modify its source list. Run the source-management panel only when needed, stop it afterward, review any new parser code before using it, and avoid sharing generated reports if full local attachment paths are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs running local Python setup and workflow scripts, performing network retrieval, and reading/writing files, yet it declares no permissions. This creates a transparency and policy-enforcement gap: hosts or users cannot accurately assess or constrain what the skill will do, increasing the risk of unintended shell execution, filesystem modification, and external data access.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This file exposes a localhost HTTP management interface that can read and overwrite the skill's source configuration without any authentication, CSRF protection, or input validation. Even though it binds only to 127.0.0.1, any local process or a malicious webpage able to target localhost could modify the monitored sources, disable feeds, or replace URLs, affecting integrity of regulatory monitoring and potentially redirecting later workflows to attacker-controlled endpoints.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code allows PDFs to be written to a caller-controlled output directory, and defaults to the current working directory when none is provided. That can place downloaded content outside the skill workspace boundary, weakening isolation guarantees and enabling uncontrolled persistence of untrusted files on the host filesystem.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill does more than summarize regulatory pages: it fetches and stores attachment PDFs in bulk from remote sites. Archiving untrusted external documents increases data exposure and storage risk, and expands behavior beyond the stated scanning/reporting purpose, which can surprise operators and bypass least-privilege expectations.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger keywords include broad operational phrases such as '法规跟踪', '法规扫描', and 'regulatory tracking', which may match ordinary user conversation and invoke the skill unexpectedly. Because the skill performs network collection and file-generating workflows, accidental activation could cause unintended external requests, local writes, or noisy automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description says the skill scans regulatory sources and generates reports, but it does not clearly warn users that it will access external websites/RSS feeds and download content. This weakens informed consent and can surprise users in restricted or sensitive environments where outbound access, attachment retrieval, or data handling must be explicitly disclosed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt instructs the agent to write a new `sources.yaml` entry and create `scripts/parsers/{name}.py` based on a user-provided URL, but it does not require confirmation, sandboxing, path restrictions, or review before modifying repository files. In a skill that analyzes external regulatory sources, this creates a realistic avenue for unintended or attacker-influenced code/config changes, especially if the generated parser logic is later executed by the system.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The step documentation states that Step 5 updates a persistent history.json file, but it does not clearly warn users that running the step mutates state across executions. This can surprise operators, affect reproducibility, and lead to unintended retention of regulatory tracking data, especially in shared or automated environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The report specification says the generated report includes the attachment field as a complete absolute local path, but there is no privacy warning. Absolute paths can disclose usernames, workstation layout, network shares, project names, or sensitive storage locations when reports are shared externally, exported, or logged.

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0
pyyaml>=6.0
markdown>=3.5
playwright>=1.40
Confidence
95% confidence
Finding
feedparser>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0
pyyaml>=6.0
markdown>=3.5
playwright>=1.40
Confidence
95% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0
pyyaml>=6.0
markdown>=3.5
playwright>=1.40
Confidence
98% confidence
Finding
markdown>=3.5

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0
pyyaml>=6.0
markdown>=3.5
playwright>=1.40
Confidence
94% confidence
Finding
playwright>=1.40

Known Vulnerable Dependency: markdown==3.5 — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High
Category
Supply Chain
Confidence
88% confidence
Finding
markdown==3.5

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.