ClawHub

Tencent IMA Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears aimed at Tencent IMA automation, but it uses powerful local app debugging and request rewriting that users should review carefully before installing.

Install only if you are comfortable giving the skill control over your Tencent IMA desktop session. Before use, confirm why remote debugging is required, whether the debug port is restricted and closed afterward, what private knowledge IDs are stored, what page text is scraped, and whether each private-knowledge query is explicitly user initiated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes a local Python script with shell, file, environment, and likely network capabilities, but declares no corresponding permissions or user-facing trust boundary. This creates a transparency and policy gap: users may invoke a skill that can access local configuration and external resources without explicit disclosure, increasing the chance of unintended data access or command-execution risk through the underlying implementation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script actively intercepts internal network traffic and rewrites request bodies to inject a knowledge-base identifier, which exceeds simple app control or search automation. This creates an unauthorized request-manipulation capability that can alter application behavior, bypass intended UI constraints, and access or steer retrieval contexts the user did not explicitly select.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Launching the desktop app with a remote debugging port and permissive origin setting grants powerful control over the application internals, including page inspection, script execution, and network manipulation. Even though it binds to localhost, this materially expands the attack surface and enables invasive control beyond the stated skill purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code evaluates JavaScript in the page context and extracts broad rendered DOM text from document.body, including deep traversal into shadow DOM. That is broader than narrowly retrieving a search result and can capture unrelated or sensitive page content visible in the app, increasing privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly documents request interception and on-the-fly injection of private `knowledge_ids` into queries, but does not provide a clear warning about privacy implications, scope of data access, logging exposure, or the risk of unintentionally querying private corpora. In a skill designed to automate an AI desktop client, this omission is security-relevant because users may not realize that a simple trigger token changes the destination and sensitivity of the data being queried.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill documents use of a local config file containing a private knowledge identifier, but provides no warning about protecting that file or limiting exposure of the identifier in logs, prompts, or shared environments. While a knowledge ID alone may not be a secret in all systems, in this context it is tied to private knowledge retrieval and could enable unauthorized lookup attempts, misrouting of sensitive queries, or accidental disclosure of internal resource identifiers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently launches a local application with remote debugging enabled, materially changing the application's security posture without clear user notice. Users are not informed that a powerful control interface is being exposed, which undermines informed consent and safe operation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill performs network interception and modifies outbound request bodies without adequately disclosing that behavior to the user. Hidden traffic manipulation is dangerous because it can silently alter the scope of data access and the meaning of user actions inside the application.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill collects rendered page text from the DOM without clearly informing the user that page content is being scraped. Because the extraction is broad and content-based rather than narrowly structured, it may capture more information than the user expects, including sensitive or incidental content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal