ClawHub

AI离谱甲方

Security checks across malware telemetry and agentic risk

Overview

This paid entertainment skill is not plainly malicious, but its payment flow can report success without verified payment and handles order data with weak disclosure and controls.

Review this before installing if you care about paid-flow integrity or prompt privacy. Confirm the payment amount and recipient yourself, avoid putting sensitive client or business details in the question, and prefer a version that fails closed on payment errors, clearly documents the localhost service, and deletes or protects completed order files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises payment verification as a prerequisite, but when the backend call fails it silently falls back to generate_local(question), which still returns the full service output. This creates a fail-open authorization bypass: a user can obtain the paid result without confirmed payment simply by causing backend unavailability or request failure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The program always prints PAY_STATUS: SUCCESS after generate_feedback(result), even though the result may have come from the unverifiable local fallback rather than a confirmed paid backend response. This can mislead upstream systems, logs, or wrappers into treating unpaid or unverified execution as successfully paid, compounding the payment bypass and weakening audit integrity.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script stores the user's question together with payment metadata and server-returned fields locally, but there is no visible minimization, retention control, or user disclosure. Because the question may contain sensitive business requirements or personal data, unnecessary local persistence increases exposure if local files are read by other users, malware, or later tooling.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is a real vulnerability. If credential decryption or parsing fails, the code sets pay_status = "SUCCESS" and continues to return paid content, which completely bypasses payment verification. In a paid skill, this directly defeats the access-control boundary and allows anyone to obtain service output with a malformed or fake credential.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment indicating 'simulation mode' is not just documentation drift; it corresponds to behavior that treats verification failure as payment success. That makes the insecure bypass appear intentional or at least knowingly tolerated, increasing the likelihood it ships to production unchanged. In practice, this weakens trust in the payment gate and enables unauthorized use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code posts orderNo, question, and credential to http://localhost:8080 over plaintext HTTP. Even though localhost reduces remote exposure, unencrypted local transport and lack of disclosure can still expose sensitive payment-related data to local proxies, container boundary issues, malware, or misconfiguration, especially in shared or multi-tenant environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The user's question is sent in cleartext over HTTP to a local service endpoint, so any local proxy, compromised host component, or malicious software with network visibility can inspect or tamper with the content. Since the question may include private work requests and the response affects payment/order state, lack of transport protection creates confidentiality and integrity risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Order details, including the user's question, encrypted_data, and payment destination fields, are written to local storage without any visible warning or access control in this file. Even if intended for normal operation, silently persisting this data can leak sensitive prompt content and payment-related metadata to other local users or processes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal