ClawHub

内容引擎 / Content Engine

Security checks across malware telemetry and agentic risk

Overview

This is a coherent content-publishing skill, but it needs Review because some Obsidian and export paths can read or overwrite local files outside the intended locations.

Install only if you are comfortable giving the skill local file access and optional publishing tokens. Use a dedicated Obsidian vault or folder for publishable drafts, avoid passing arbitrary or generated file paths, preview and confirm every publish action, and store platform tokens outside source control with the minimum permissions available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The export function writes attacker-controlled content to a fully user-supplied file path with no path restrictions, sandboxing, or confirmation. In an agent context, this can be abused to overwrite arbitrary files accessible to the process, potentially clobbering configs, notes, shell startup files, or application data and causing integrity loss or follow-on compromise.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
After collecting platform metrics, the module silently forwards the content ID, platform, metrics, and potentially sensitive content metadata such as title, tags, topic, publish time, and body length into a separate learning engine. This exceeds the stated scope of a metrics/reporting module and creates an undisclosed secondary data flow that can expose user content metadata to another subsystem without consent or clear necessity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
`import_draft` and `export_draft` join a user-controlled relative path with the vault root using `os.path.join(vault_path, file_rel)` but never normalize and verify that the resolved path stays inside the vault. An attacker can supply paths like `../../.ssh/authorized_keys` or absolute paths to read or overwrite arbitrary files accessible to the process, which is especially dangerous in an automation/integration skill that handles filesystem content on behalf of a user.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`batch_adapt_content` bypasses per-platform controls enforced in `adapt_content`, most notably the paid-feature check for WeChat and the normal preprocessing/post-processing pipeline. In a skill that gates functionality by subscription tier, this creates a real authorization flaw: a caller can request batch adaptation including `wechat` and obtain output that should require a higher entitlement.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README states that all data is stored locally and that API calls go directly to platforms, but it does not clearly warn users that publishing necessarily transmits article content, metadata, and account-linked information to third-party services such as WeChat, Twitter, LinkedIn, or Medium. This can mislead users into overestimating privacy protections, especially in a tool marketed around local storage, and may cause accidental disclosure of sensitive or regulated content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to export multiple access tokens, app secrets, and vault paths but provides no guidance on secure handling, storage, rotation, or avoidance of shell history and source control exposure. In practice, users often copy these commands into persistent shell profiles or shared environments, increasing the chance of credential leakage and downstream compromise of social media, WeChat, Medium, or content repositories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code performs a filesystem write to an arbitrary user-provided path without any visible warning, confirmation, or safety barrier. In a tool that may be driven by higher-level agents or untrusted prompts, this makes unintended or malicious file overwrite more dangerous because the action is easy to trigger and not constrained to benign export locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically forwards performance metrics and related content metadata to the learning engine with no user-facing disclosure, approval, or separation of duties. This creates a hidden data-sharing path that may violate user expectations, privacy boundaries, or data minimization requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal