ClawHub

resolved-sh-rstack

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed resolved.sh operator toolkit that can make live business and publishing changes, so it is powerful but not deceptive or purpose-mismatched.

Install only if you trust the resolved.sh/rstack source and intend to let an assistant manage a live resolved.sh listing. Keep RESOLVED_SH_API_KEY and webhook_secret out of chat logs, source control, and screenshots; review every generated curl payload, resource ID, price, publication state, email address, and paywall setting before running it; clean up temporary rstack files if they contain account or secret data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The skill uses an undeclared environment variable (`RESOLVED_SH_RESOURCE_ID`) together with an API key to make an authenticated request for ask-inbox configuration, even though that input is not declared in metadata or described to the user. This creates hidden behavior and can cause the agent to access account-specific configuration beyond the skill's stated scope, reducing transparency and increasing the risk of unintended authenticated data access.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill's declared purpose is content publishing, but it also configures a paid Ask inbox service that collects private contact details and changes account monetization settings. This scope expansion is dangerous because users and policy systems may grant trust based on the manifest while the skill performs additional higher-sensitivity actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill asks for a private email address and sends it to a remote service even though the top-level skill description emphasizes publishing posts, courses, and paywalls. Collecting additional sensitive user data outside the expected purpose increases privacy risk and can lead to unintended disclosure or configuration of contact channels.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill gives contradictory secret-handling guidance: it first says the webhook_secret is shown once, then later instructs the operator to retrieve it via a GET listing endpoint. If that endpoint does expose secrets, the skill normalizes broader secret retrievability and increases the chance of accidental disclosure; if it does not, the recovery guidance is incorrect and may cause operators to hunt for secrets in unsafe ways. In either case, this weakens secret-management expectations around a credential used to authenticate inbound requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises skills that generate live `curl`/PUT/PATCH commands to modify pages, data products, paid services, and monetized content, but it does not warn users that these commands can directly change production state, publish listings, or expose billable endpoints. In an agent-skill context, copy-pasteable commands and automation-ready output materially increase the risk of unintended account changes, accidental publication, or enabling paid/public surfaces without adequate review.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The quick-start instructions tell users to set an API key environment variable without any guidance on secret handling, storage, or redaction. In agent-driven or shared-shell environments, this increases the risk of credentials being exposed in logs, transcripts, screenshots, shell history, or misconfigured deployment files, which could enable unauthorized API use.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The instruction to run proactively after any registration or related skill is broad enough to trigger network-fetching behavior without a clear contemporaneous user request. In an agent setting, this can lead to unauthorized external requests, unexpected use of configured credentials, and actions that the user did not explicitly ask to perform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description omits that it may perform authenticated network requests using `RESOLVED_SH_API_KEY` for optional checks. That lack of disclosure undermines informed consent and can cause users to supply credentials without realizing the audit will access protected account configuration, which is especially concerning in an agentic workflow.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough that normal conversation such as wanting to 'publish a blog post' or 'add content to my page' may invoke a skill that can generate or run authenticated remote modifications. Unintended invocation is risky here because the skill is capable of changing live monetized content and account configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill generates authenticated PUT requests that create or modify remote content but does not require an explicit warning or approval immediately before those changes. In a tool-using agent context, this can lead to accidental publication, draft overwrites, or monetization changes on a live account.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match common user requests such as "get discovered" or "where should I list this," which can cause the skill to activate in situations where the user did not explicitly intend to run a distribution workflow. In an agent environment, over-broad activation can lead to inappropriate tool use, unnecessary external lookups, or generation of publication/submission content for third-party platforms without clear user intent.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Post: "{title}"
curl -X PUT "https://resolved.sh/listing/$RESOLVED_SH_RESOURCE_ID/posts/{slug}" \
  -H "Authorization: Bearer $RESOLVED_SH_API_KEY" \
  -H "Content-Type: application/json" \
  -d @- <<'EOF'
Confidence
88% confidence
Finding
curl -X PUT "https://resolved.sh/listing/$RESOLVED_SH_RESOURCE_ID/posts/{slug}" \ -H "Authorization: Bearer $RESOLVED_SH_API_KEY" \ -H "Content-Type: application/json" \ -d @- <<'EOF' { "title

External Transmission

Medium
Category
Data Exfiltration
Content
**Generate the PUT command:**

```bash
curl -X PUT "https://resolved.sh/listing/$RESOLVED_SH_RESOURCE_ID" \
  -H "Authorization: Bearer $RESOLVED_SH_API_KEY" \
  -H "Content-Type: application/json" \
  -d @- <<'EOF'
Confidence
90% confidence
Finding
curl -X PUT "https://resolved.sh/listing/$RESOLVED_SH_RESOURCE_ID" \ -H "Authorization: Bearer $RESOLVED_SH_API_KEY" \ -H "Content-Type: application/json" \ -d @- <<'EOF' { "md_content": "{ful

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal