ClawHub

连续短剧剧情构建

Security checks across malware telemetry and agentic risk

Overview

This story-generation skill is not malicious, but it needs review because it stores full generated content, documents sending content to a third-party webhook, and has an unchecked file-path helper that can modify files outside its intended folder.

Install only if you are comfortable storing full story drafts locally and potentially sending them to the documented third-party graph webhook. Avoid sensitive or proprietary story material, clear the bundled sample pipeline state if you want a fresh workspace, and do not pass arbitrary pipeline IDs until the graph path validation issue is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly describes reading and writing local state (`data/pipeline_state.json`) and therefore exercises file I/O, but it declares no permissions or capability boundaries. Undeclared file access weakens the trust model: operators and users cannot accurately assess what the skill can persist or modify, and future implementation drift could extend access beyond the intended state file without any policy signal.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`review_episode` is documented as performing episode quality review, but it contains only `pass`, so any caller expecting an actual review may silently skip a security/quality gate. In a pipeline that advertises 'AI质检+人工确认的双控机制', this creates a control-bypass condition where unsafe or low-quality content can proceed without review if this method is invoked.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
`pipeline_id` is interpolated directly into a filename with `os.path.join(self.storage_dir, f"{pipeline_id}.json")` and is later used for read, write, and delete operations. An attacker who can control `pipeline_id` can supply path traversal sequences such as `../` to escape the intended graph directory and overwrite, read, or delete arbitrary JSON-suffixed files accessible to the process.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims the module manages graphs using local JSON storage, which implies confinement to the designated graph directory, but the implementation does not enforce that boundary. This mismatch is security-relevant because callers and reviewers may trust the documented storage scope while attacker-controlled `pipeline_id` values can redirect file operations outside that area.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal