ClawHub

shareone

Security checks across malware telemetry and agentic risk

Overview

The ShareOne skill mostly matches its sharing purpose, but its API-key handling and privileged download behavior are risky enough to require review before installing.

Install only if you are comfortable with a skill that publishes content to public ShareOne links and manages ShareOne API keys. Avoid pasting high-value keys into chat, rotate any key exposed in transcripts or logs, confirm exact content before publishing, and be careful with download/update operations on links whose owner-level credentials may bypass public restrictions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script prints the actual ShareOne API key to stdout in both the direct fallback and normal paths. Console output is often captured by logs, CI systems, wrappers, agent frameworks, or other users/processes, turning a secret-check operation into secret disclosure and enabling unauthorized API access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script requests a guest ShareOne API key and persists it either locally or in the Sudowork proxy, which introduces credential generation and storage behavior beyond the core file publish/download/comment workflow described for the skill. Even if intended for convenience, creating reusable credentials expands the attack surface because a leaked or misused guest key could enable unauthorized access to ShareOne resources or abuse of the platform under the user's environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file can enumerate, create, and delete secrets in the Sudowork secrets service, which is a broader secret-management capability than the stated ShareOne publish/download/edit/comment purpose. Even though it targets a ShareOne namespace/key, exposing secret listing and mutation increases blast radius if the skill is misused or invoked unexpectedly in a privileged environment.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The workflow explicitly instructs the agent to use an owner-authorized download endpoint that bypasses normal ShareOne controls such as password protection and allow_download restrictions. This creates a privilege escalation/data access issue because the agent may retrieve content in a way that exceeds the user-visible sharing permissions implied by the link.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file says the script will use owner download even when public restrictions would block access, but later states that without owner access the agent must require allow_download and possibly a password. This inconsistency is security-relevant because it obscures when privileged bypass occurs and can cause operators or downstream agents to misunderstand the actual access-control behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The workflow explicitly tells the agent to inject a third-party CDN-hosted Mermaid ESM script into published HTML. That adds external code execution and a supply-chain dependency to otherwise local content publishing, creating risk of malicious script changes, CDN compromise, privacy leakage via client requests, or future behavior changes outside the publisher's control. In this skill context, the danger is more significant because the published page is intended for public sharing, so every viewer's browser will fetch and execute remote code.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation phrases are broad enough to capture ordinary requests like 'share', 'publish', or 'generate a link', which may trigger external publication when the user did not intend ShareOne or public hosting. In a skill that can upload content and expose it publicly, ambiguous routing materially increases the risk of accidental data disclosure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The examples and routing guidance treat many generic sharing requests as in-scope without clearly distinguishing local sharing from public ShareOne publication. Because this skill can publish conversation history, documents, and code externally, unclear boundaries make inadvertent exfiltration more likely in normal agent use.

Missing User Warnings

High
Confidence
99% confidence
Finding
This finding is valid because the script emits the credential value directly without warning or access control, which can leak the key to terminals, shell history captures, process supervisors, telemetry, or log aggregation systems. In an agent skill context, stdout may be surfaced to higher-level tooling or users, making accidental exfiltration especially likely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the newly generated guest API key directly to stdout, which can expose the credential to logs, terminals, CI output, agent transcripts, or other monitoring systems. Any party with access to those outputs may reuse the key, making this a straightforward credential disclosure issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code stores the guest API key locally or in the Sudowork proxy without any explicit disclosure or consent flow, creating silent credential persistence in the user's environment. Undocumented storage increases the risk of later compromise through local file access, shared environments, backups, or proxy-side exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When saving to the Sudowork proxy fails, the script silently falls back to local API key storage. Persisting a secret to local storage without explicit user consent or a clear warning increases the chance the credential is left on disk in an unexpected location, where it may be exposed through filesystem access, backups, or multi-user environments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
In the normal path, the script stores the API key locally without informing the user that the credential will be persisted. For a skill that handles publishing and downloading via a remote platform, silent persistence of long-lived tokens can broaden exposure if the host is shared, compromised, or later inspected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists and deletes API credentials in a local file without any confirmation, disclosure, or apparent permission hardening. Silent credential storage can surprise users, leave secrets on disk in recoverable form, and create opportunities for other local processes or users to access the ShareOne API key.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends the Sudowork bearer token from environment variables in network requests to the secrets service. In a skill context, transmitting platform credentials is sensitive because compromise of request routing, logs, or an attacker-controlled proxy/base URL could expose high-value credentials and enable broader secret access.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code automatically attaches a ShareOne API key to authenticated outbound requests, either directly or via the Sudowork proxy, without any user-visible disclosure in this file. While authentication is expected for the integration, silent credential transmission is still sensitive and becomes dangerous if the destination base URL is changed maliciously or misconfigured.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow directs the agent to save retrieved file contents locally without warning about privacy, retention, or sensitive-data handling. Downloaded ShareOne content may contain confidential material, so silent local persistence increases the risk of unintended disclosure, residual data retention, or later misuse on the host system.

Missing User Warnings

High
Confidence
96% confidence
Finding
The instructions tell the agent to prefer an API-key-enabled owner download route that bypasses password and allow_download checks, but provide no explicit warning to the user that stronger internal credentials are being used. In this skill context, that is especially dangerous because the skill is meant to operate on shared links, so users may reasonably expect link-level restrictions to be honored rather than silently overridden.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly supports publishing the current conversation history and large text content to a persistent public link. That creates a direct natural-language exfiltration path for sensitive user data, secrets, internal discussions, or regulated information that may appear in the conversation context without the user appreciating the scope of disclosure.

Ssd 3

High
Confidence
97% confidence
Finding
The trigger examples actively encourage sharing the last response, recently written code, or large blocks of text, which are common places for secrets, tokens, proprietary code, and personal data to appear. In context, this makes the skill more dangerous because it normalizes public export of context-derived content rather than limiting publication to clearly designated files.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow explicitly states that the owner-only capability is not constrained by password or allow_download settings, meaning the agent can retrieve files even when the shared link was configured to prevent exactly that. This undermines the platform's access-control model and can expose non-public documents to users who only possess a link reference, not the permissions intended for download.

Ssd 3

High
Confidence
98% confidence
Finding
This workflow explicitly tells the agent to ask users to paste API keys into chat, then use those secrets in subsequent commands and storage flows. Collecting secrets through conversational channels increases the risk of exposure via logs, transcripts, model context retention, debugging tools, or accidental echoing back to the user.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow requires the agent to print a newly generated API key and a binding URL containing that key directly into chat. Exposing bearer credentials in message history creates immediate compromise risk if chat transcripts are stored, shared, monitored, or later surfaced to other tools or users.

Ssd 3

High
Confidence
98% confidence
Finding
The fallback path repeats the same unsafe pattern: instructing users to submit API keys in chat and saving them to a local fallback credential file. This broadens the attack surface because the secret is exposed both in conversation logs and in potentially less-protected local storage.

Ssd 3

High
Confidence
99% confidence
Finding
The normal-agent workflow again asks the user to send API keys in conversation and confirms key-bearing outputs such as generated credentials. The repetition across standard flows suggests systemic unsafe secret-handling practices that can leak credentials through transcripts, tool invocation logs, or downstream prompt/context reuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal