ClawHub
Back to skill

Security audit

Rumor Buster - 双引擎谣言验证

Security checks across malware telemetry and agentic risk

Overview

This fact-checking skill mostly matches its purpose, but it needs review because it can send verification text to external services and handles Tavily API keys insecurely.

Install only if you are comfortable with verification text being sent to external search providers. Before use, remove the hardcoded Tavily fallback key, avoid storing personal API keys in plaintext config, prefer explicit /verify and /rumor-buster setup commands, and do not submit private messages, credentials, or confidential documents unless you accept external lookup exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Tainted flow: 'payload' from os.getenv (line 25, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(url, json=payload, timeout=30)
        response.raise_for_status()
        return response.json()
    except requests.exceptions.RequestException as e:
Confidence
99% confidence
Finding
response = requests.post(url, json=payload, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill describes and embeds capabilities for environment access, file reads/writes, network use, and shell-adjacent execution via setup flows and external search tooling, yet no permissions are declared. This creates a transparency and trust problem: users and hosts cannot accurately assess that the skill may persist config, access local files, or send data to external services before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior materially exceeds and diverges from the stated purpose: it includes setup/config persistence, possible API-key handling, engine probing, and lacks an implemented verification workflow beyond raw search. Such mismatch can mislead users into providing sensitive claims or credentials under the assumption of a simple fact-checking tool, while the actual behavior performs additional persistent and networked operations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The setup flow reads TAVILY_API_KEY directly from the environment, which gives the skill access to credentials without an explicit user action in that moment. Even if intended for convenience, this expands the skill from simple local setup/detection into secret access, and could expose or persist sensitive API material in logs or generated config.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The engine-detection routine performs live requests to third-party domains such as sogou.com and duckduckgo.com to test availability. This turns a local setup check into external network probing, which can leak metadata about the user's environment, create unwanted outbound traffic, and violate least-privilege expectations for an initialization skill.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Broad trigger phrases like everyday requests can cause accidental invocation in normal conversation, leading the skill to process and potentially transmit user content to external search services without clear intent. In a fact-checking context this is especially risky because users may paste private messages, rumors, or sensitive text expecting local analysis, not automatic external lookup.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly performs searches across native and third-party engines, but the skill does not warn that user queries may be sent to external services or APIs. This omission can expose private claims, messages, or personally sensitive content to search providers, especially when users are verifying screenshots, chats, or health/financial rumors.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The architecture allows setup to be spawned when the user says broad phrases like "setup" or "reset," which can be triggered accidentally during normal fact-checking conversations. In an agent skill that can write local configuration, this creates an unintended state-changing action surface and could lead to unnecessary reconfiguration, overwriting config, or prompting for sensitive setup inputs at the wrong time.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented configuration stores sensitive local data, including an API key, in `~/.rumor-buster-config`, but the architecture does not mention warning the user before writing it or protecting the file. In a security-sensitive agent environment, silent persistence of secrets to disk increases the risk of credential exposure through local compromise, backups, logs, or overly permissive file permissions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly sends the user's verification query to multiple external search providers, potentially including third-party APIs, without any requirement to notify the user or obtain consent. Verification queries may contain sensitive personal messages, private rumors, internal documents, or other confidential text, so silent transmission creates a real privacy and data-governance risk rather than a purely theoretical concern.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manual trigger phrases "setup" and especially "设置" are overly generic and can match normal conversation or unrelated requests. In this skill, accidental invocation is more concerning because setup can inspect the environment, read credentials, and perform outbound checks, so an imprecise trigger increases the chance those actions occur unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prompts for a Tavily API key and persists it in a plaintext config file under the user's home directory without warning about local credential storage or setting restrictive file permissions. If the home directory, backups, logs, or local workstation are accessible to other users or malware, the API key can be recovered and abused.

Ssd 3

Medium
Confidence
87% confidence
Finding
Instructing the skill to include complete search results in a detailed report risks reproducing sensitive user-provided content, search snippets, or fetched material that may contain personal, confidential, or harmful information. This amplifies exposure by aggregating and redisplaying data that may have been sent externally during verification, potentially leaking more than necessary to the user session or logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal