ClawHub

干饭 skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real meal recommendation skill, but it bundles broad map, scheduling, profile storage, and file-writing behavior that users should review before installing.

Install only if you are comfortable with local meal reminders, stored taste/location/history data, and sending restaurant searches or route endpoints to AMap. Use a limited AMap Web Service key, avoid saving it in config.json, review generated restaurant skills before keeping or sharing them, and do not include Wi-Fi passwords or grant unrelated purchase/crypto authority for this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to use environment variables and make network requests to Amap, but the manifest does not declare those capabilities or warn users about them. Hidden capability use weakens informed consent and sandbox/policy enforcement, especially because location-oriented network calls and key handling are involved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The advertised behavior is a meal recommendation helper, but the referenced functionality expands into broader POI search, route planning, local app communication, browser opening, QR/link generation, and local config/key handling. This mismatch can cause users or host systems to grant trust to a much more capable workflow than the description suggests, increasing the chance of privacy leakage or unintended side effects.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The navigation flow documents side effects beyond a simple meal-helper skill: it can open a browser and expose route/map data automatically. Even if intended as convenience, automatic UI/network side effects can surprise users, leak location context to external services, and expand the skill's effective permissions without an explicit consent step.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation instructs users or agents to export and consume an API key from environment variables for external service access. While common, this is security-sensitive because agent logs, shell history, debug output, or downstream subprocesses may inadvertently expose the key, and the skill encourages operational use without discussing secret-handling safeguards.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The discover flow pipes external search results into a generator that writes restaurant skill artifacts to disk, creating a content-to-file write path from untrusted data. If the POI data or generated fields are malformed or adversarial, this can result in unsafe file creation, misleading skill content, or overwrite/path issues depending on generator safeguards.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The generator emits Wi‑Fi credentials directly into the generated SKILL.md, which can disclose sensitive access information to any downstream user or system that can read the skill. In the context of an eat/restaurant-discovery skill, publishing network passwords is not necessary for the core purpose and expands access beyond an appropriate need-to-know boundary.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to send telemetry requests to AMap before carrying out user-requested actions, but this data collection is not necessary to fulfill map search or route-planning functionality and is not clearly disclosed to the user. Undisclosed outbound network calls can leak usage metadata, expand the skill's data footprint, and create a covert analytics channel beyond the user's intent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill states that the user's AMap Web Service key may be saved to a local configuration file for later reuse. Persisting user-provided API credentials increases exposure risk if the filesystem, logs, backups, or other skills can access that file, and it exceeds the minimum handling needed for a simple assistant workflow.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This dependency skill provides broad mapping, routing, tourism planning, geocoding, and heatmap capabilities, which materially exceed the stated purpose of the parent eat-skill as a dining decision assistant. Excess capability increases the attack surface, creates opportunities for unintended invocation and data access, and weakens the principle of least privilege for the host skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file materially exceeds the manifest’s declared purpose. An 'eat decision' skill that secretly includes generic map navigation and arbitrary POI search expands capability scope, which can enable unintended location queries, user tracking workflows, or hidden tool reuse outside the food domain; capability/manifest mismatch is a real security concern because users and orchestrators rely on the manifest for trust and permission decisions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The direction command provides broad route-planning functionality unrelated to the stated purpose of helping choose food and find nearby restaurants. In context, this unnecessary power increases the attack surface and allows the skill to be repurposed for arbitrary navigation tasks, undermining least privilege and making hidden behavior harder for users to detect.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The script invokes a local OS command via child_process.exec to open a browser. Even though the executable name is chosen from a fixed platform-dependent list, spawning a shell is unnecessary here and creates avoidable command-execution risk if the URL source or environment is ever influenced unexpectedly; it also triggers local side effects not justified by a food recommendation skill.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README states that the AI will learn the user's taste, location, and budget and the project structure explicitly references a persistent `user-profile.json`, but it does not clearly warn users that this personal data may be stored locally. This creates a real privacy issue because users may disclose location and preference data without informed consent, especially in shared or synced environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README says meal reminders are automatically enabled by default, which means the skill may proactively schedule or push reminders without a clear up-front consent warning. Automatic background reminders are security-relevant because they change user expectations and can create unwanted persistence or execution behavior on the host system.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to configure an AMap Web Service API key and use nearby search and routing commands, but it does not clearly warn that keywords, city, and origin/destination coordinates may be sent to an external third-party service. This is a genuine privacy and data-sharing issue because location-related queries can reveal sensitive movement or place information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that the skill learns the user's taste, location, and budget and also documents a persisted `user-profile.json`, but it does not clearly disclose what data is stored, for how long, or how users can review/delete it. In an agent-skill context, collecting location and preference data can expose sensitive behavioral information and creates privacy risk if users enable the skill without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README says scheduled reminders are auto-enabled on install, meaning the skill may proactively execute and send nudges without an explicit opt-in step. Autonomous scheduled execution increases risk because users may not realize the skill will run in the background, consume resources, or surface notifications unexpectedly.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad natural-language triggers like everyday food-related phrases can cause accidental activation during ordinary conversation. Unintended invocation matters here because the skill may read/write profile data and initiate location-based lookups or other downstream actions without a clearly deliberate user command.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Several command trigger phrases are generic enough that invocation boundaries are unclear, making it easy to trigger restaurant search, navigation, or skill-generation flows unintentionally. Because some commands can lead to external API calls or filesystem writes, ambiguous invocation increases operational and privacy risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill collects and stores location, dietary preferences, budget, and dining history in a local profile file, but the description does not clearly warn users about this persistence. Silent retention of personal habit and location-adjacent data creates privacy risk, especially if shared workstations, synced folders, or other local tools can access the file.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends location-based queries to the Amap web service but does not provide a clear privacy warning before external transmission. Even if limited to restaurant discovery/navigation, location data is sensitive and can reveal home/work areas or routines when combined with timestamps and search history.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The `/eat-select` trigger phrases include broad natural-language expressions such as ordinary meal-related questions, which can overlap with casual conversation. In an agent environment, ambiguous triggers can invoke recommendation, persistence, or follow-on external actions unexpectedly, especially because this skill chains into discovery and history recording.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The random-mode triggers include very common phrases like '随便' and similar generalized expressions. These are highly likely to appear in ordinary chat, making accidental activation plausible and increasing the chance of unintended recommendations or downstream actions without user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The navigation triggers include broad phrases like asking how to get somewhere, which can overlap with normal conversation. Because this command processes location and may open external map views/browser windows, unclear activation boundaries materially raise the risk of unintended privacy-impacting actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that accepted recommendations are recorded into `user-profile.json` history, but it does not clearly warn users about local persistence, retention, or how the data will be used. Silent state retention can expose dietary habits or routine patterns and violates reasonable expectations of ephemeral chat behavior.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal