ClawHub

知识星球帖子抓取助手

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it can silently use an embedded account token to fetch private Knowledge Planet content instead of requiring the user's own token.

Review before installing. Remove the hardcoded DEFAULT_TOKEN path, require an explicit user-managed token, avoid plaintext token.json storage unless you knowingly accept that risk, and treat ZSXQ_TOKEN like a password. Only run group enumeration or bulk fetching when you intend to expose that account's joined groups and private posts to the agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code embeds a hard-coded access token and automatically uses it when no user-provided token is present, causing outbound authenticated requests under potentially unintended credentials. This can expose the embedded account's private groups/posts and may also make the operator unknowingly access or act as another account, which is especially dangerous in a data-fetching skill handling private content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to manually extract a live `zsxq_access_token` from browser cookies and store it in a local environment file, but it provides no warning that this credential is sensitive, long-lived, or should never be shared, logged, or committed. In a skill designed to fetch private knowledge-base content, compromise of this token could allow unauthorized access to joined groups and their posts, making the omission materially risky in context.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation example is very broad and conversational, which increases the chance that normal user requests about 'latest content' will automatically trigger this skill without clear intent boundaries. Because the skill can access authenticated, potentially private 星球 content, accidental triggering could expose or summarize sensitive posts in contexts where the user did not explicitly intend to use this data source.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs use of an account access token and retrieves account-scoped data, but it does not prominently warn that this grants access to private content and account-associated metadata. Without an explicit privacy warning and consent boundary, users may expose sensitive subscription, membership, and post data more broadly than intended.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using an embedded authentication token without prominent warning means the tool may silently authenticate to a third-party API and retrieve private data. This creates credential misuse, privacy, and account-compromise risk because operators may not realize they are transmitting and using someone else's persistent credential.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to extract and copy `zsxq_access_token` from browser developer tools without clearly labeling it as a sensitive bearer credential or warning against disclosure and unsafe storage. In a skill designed to fetch private platform content, this increases the chance that users paste long-lived authentication material into insecure places, leading to account takeover or unauthorized data access if leaked.

Ssd 3

High
Confidence
98% confidence
Finding
The documentation tells the user how to extract a live authentication token from browser developer tools and use it in the skill. This is a sensitive-credential acquisition pattern that normalizes unsafe secret handling and can lead to account compromise if the token is pasted into insecure contexts, logged, stored, or reused beyond the intended purpose.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill includes a command to enumerate all groups joined by the current account, which exposes account relationship data that may be sensitive even if post content is not fetched. In context, this broadens access from a user-specified group fetcher into account-wide discovery, increasing privacy risk and the blast radius of token misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal