ClawHub
Back to skill

Security audit

smart-site-selection-skill

Security checks across malware telemetry and agentic risk

Overview

This site-selection skill is mostly aligned with its purpose, but it needs review because it uses external services and an API key, writes local reports and temp state with weak safeguards, and includes rate-limit-evasion language.

Install only if you are comfortable providing an AMap Web Service key and sending business/location details to mapping and search services. Treat generated reports as sensitive because they may include business plans and the AMap key in map URLs; avoid sharing reports until the key is removed. Prefer explicit confirmation before runs, a chosen output directory, sanitized filenames, escaped HTML, and compliant API quota handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code and comments explicitly describe using sleeps to avoid Amap free-key QPS interception, which is deliberate rate-limit evasion behavior rather than ordinary backoff or compliance with provider limits. In an agent skill, this is dangerous because it encourages unauthorized use of third-party services and can expose the operator to account suspension, blocking, or policy violations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README says users can 'directly' express a store-opening intent to trigger the skill, but it does not define clear scope, consent boundaries, or activation constraints. In an agent environment, broad triggers can cause unintended invocation, unnecessary data collection, or external API usage based on ambiguous user requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes automatic calls to AMap, searxng, and report generation, but does not clearly warn end users that network requests will be made and outputs may be generated automatically. This can lead to unexpected transmission of user-provided business/location data to third-party services and surprise file generation in the agent environment.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger terms are very broad and include common words like '选址', '商业洞察', and '开店', which can cause the skill to activate in contexts where the user did not intend site-selection automation. Over-broad triggering can route unrelated conversations into a workflow that asks for strategic business information and may invoke external tools unnecessarily, creating privacy, integrity, and least-surprise issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill specifies that it writes a single-file HTML report into the current working directory, but the user-facing description does not clearly warn about this side effect. Undisclosed file creation is a security-relevant behavior because it can surprise users, overwrite expected workspace contents, expose generated business data to other processes, or create artifacts in sensitive directories depending on runtime context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes raw user input and derived context to a predictable file in /tmp without consent, access controls, or lifecycle management. On multi-user systems, temporary files can be discoverable or mishandled, exposing potentially sensitive business plans or location data beyond the active session.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic phrases such as '开店', '摆摊', and '调查报告', which can match many normal conversations unrelated to this skill’s intended scope. Overly broad invocation increases the chance the skill runs unexpectedly, exposing external API usage, web-scraping behavior, or autonomous report generation without clear user intent.

Ssd 2

Medium
Confidence
96% confidence
Finding
The comments explicitly describe avoiding Amap interception/QPS controls by inserting delays, which signals intentional circumvention of service protections. Even though this is expressed in comments and timing logic rather than exploit code, in context it operationalizes policy evasion and makes the skill more dangerous because it normalizes abusive API usage.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal