ClawHub

Story Master/通过图谱和管道方式创建剧本

Security checks across malware telemetry and agentic risk

Overview

This is a coherent story-generation skill, but it needs review because a crafted pipeline ID can make its graph file code read, write, or delete JSON files outside the intended folder.

Review before installing. Use only non-sensitive story material unless you are comfortable with local persistence, avoid manually supplying arbitrary pipeline IDs, and prefer a fixed version that validates pipeline_id and proves resolved graph paths stay under the intended data/graphs directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly describes persistent local state in `data/pipeline_state.json` and local cache management, which implies file read/write behavior without any declared permissions or user-facing disclosure. This is dangerous because hidden filesystem access can expand the skill's effective trust boundary, allowing unintended storage of sensitive user content or later abuse by implementations that read or overwrite local files beyond what users expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
`pipeline_id` is interpolated directly into the filename via `os.path.join(self.storage_dir, f"{pipeline_id}.json")` with no normalization or validation. An attacker who controls `pipeline_id` can use path traversal sequences such as `../` to read, overwrite, or delete files outside the intended graph directory, and the surrounding methods (`_load_graph`, `_save_graph`, `delete_graph`) make this reachable for file read/write/delete operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal