ClawHub

POI 详情页问题排查编排器

Security checks across malware telemetry and agentic risk

Overview

This is a real POI debugging tool, but it can use session IDs to query logs, replay requests, and store results locally without enough safeguards.

Install only in an authorized internal debugging environment. Treat GSIDs, trace IDs, log output, full replay URLs, and saved JSON reports as sensitive production or business data. Review the script before use, avoid online replay unless explicitly approved, redact values before sharing, and delete or secure files written under /tmp after each investigation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to use shell commands, read local reference files, and write response data to `/tmp/poi_response.json`, yet it declares no permissions. This creates a capability/permission mismatch that can bypass user expectations and platform policy, especially because the workflow also accesses logs and replays live requests containing session identifiers.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad and ambiguous terms such as "contentPerson" and "手艺人模块", which can overlap with normal discussion and unintentionally invoke a skill that performs log access, request replay, and code inspection. In this skill context, accidental activation is more dangerous because the documented workflow touches sensitive operational systems and may expose business data or trigger unnecessary internal queries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document advertises automatic execution of code lookup, log querying, request reproduction, and response parsing, but does not clearly warn that these actions may access sensitive business data and require appropriate authorization. In a debugging/orchestration skill, this omission can lead users to run the workflow without understanding data handling, permission boundaries, or privacy implications, increasing the risk of unauthorized access or over-collection.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad, ambiguous phrases such as "poi 问题", "poi 调试", and domain nouns like "contentPerson" that may appear in ordinary discussion, causing the skill to activate outside the intended debugging workflow. In a skill that orchestrates multi-step investigation actions, unintended invocation can expose internal operational context, trigger unnecessary diagnostic behavior, or cause users to rely on the wrong automation path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to supply a real user session ID (gsid) and replay requests, but it provides no warning about treating session identifiers and replayed traffic as sensitive production data. In this skill’s context, that omission increases the chance of unsafe handling, unauthorized reuse, or accidental disclosure of user-linked request data during debugging.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents a workflow that queries logs, replays requests, parses responses, and stores raw responses under /tmp/poi-debug-results/ without any guidance on production-data exposure, retention, or local artifact protection. Because this skill is explicitly designed for gray/online environments and operational debugging, the missing safeguards materially raise the risk of leaking personal, session, or business-sensitive data through local files, terminals, and shared systems.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The README states that diagnostic results are automatically persisted under /tmp, and the examples show those results may contain GSID, TraceID, POIID, environment details, response contents, and code-location context. On multi-user systems or shared workstations, writing potentially sensitive operational data to predictable temporary paths without warning, minimization, or retention guidance can lead to unintended local disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad, ordinary troubleshooting terms such as `POI 排查`, `poi 问题`, `详情页异常`, and `traceId 分析`, which can cause the skill to activate in routine conversations that mention debugging. Because the skill then performs log queries and request replay, accidental invocation can expose operational data or execute sensitive actions without the user intending to launch this workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is designed to query logs using `gsid`, extract full request URLs, and replay them with `curl`, but it does not provide a clear warning or consent step for handling sensitive session and request data. In context, this is particularly dangerous because `gsid`, trace IDs, full URLs, and logged parameters may contain authentication material, user identifiers, or internal service details that could be leaked, replayed, or mishandled.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The package description embeds a long trigger list containing broad phrases such as “POI 排查”, “poi 问题”, and “详情页异常”, which can cause the skill to activate for vague or only partially related user inputs. Because this skill performs a multi-step troubleshooting workflow involving code/log inspection and request reproduction, unintended invocation could expose sensitive internal debugging behavior or cause the agent to act in an overly privileged diagnostic context when the user did not explicitly request it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document provides ready-to-run log query commands that use a GSID, which is a user/session identifier, and an employee ID, but gives no guidance on minimizing, masking, authorizing, or securely handling that data. In a troubleshooting skill that explicitly encourages querying production logs and reproducing requests, this increases the chance of unnecessary access, disclosure, or reuse of sensitive session-linked information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reconstructs and replays a production-derived URL from logs, then saves the full response body to a predictable file under /tmp. In a debugging workflow for POI detail pages, responses and query parameters may contain internal identifiers or sensitive business/user data, and /tmp storage increases exposure to other local users, processes, or leftover artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes a persistent JSON report to /tmp containing GSID, POIID, trace ID, parsed response content, and file path metadata. In this skill’s context, those values come from production troubleshooting and can expose internal request traces, business data, and potentially sensitive response fields to other users or processes on the host if temporary storage is shared or not cleaned up.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal