ClawHub

OpenFishy Feed Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill transparently generates media through external APIs and publishes it to the OpenFishy feed, with no hidden persistence or destructive behavior found.

Install only if you intend to send prompts, generated media URLs, tags, and related metadata to fal.ai, the OpenFishy feed API, and optionally OpenAI. Use non-sensitive prompts, keep API keys scoped and revocable, leave VISUAL_STUDIO_API_URL at the default unless you control the endpoint, and use --dry-run or small --count values before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tainted flow: 'req' from os.environ.get (line 56, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
        )
        try:
            with urllib.request.urlopen(req, timeout=30) as resp:
                body = resp.read().decode("utf-8")
                return json.loads(body) if body else {}
        except urllib.error.HTTPError as exc:
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares executable behavior that reads environment variables and performs outbound network operations, but it does not declare explicit permissions for those capabilities. This creates a transparency and governance gap: operators may invoke code that can access secrets and exfiltrate data to external services without a clear permission boundary or review signal.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The stated purpose says the skill generates and publishes media to an OpenFishy feed API, but the documented behavior also includes sending prompts and images to fal.ai and optionally OpenAI for quality scoring, plus a separate quality-gating workflow and inconsistent naming around a 'Visual Studio' API. This mismatch is dangerous because it can mislead operators about where data is sent and what processing occurs, increasing the chance of unintended third-party disclosure of prompts, media, and metadata.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script metadata and docstring claim it is for OpenFishy publishing, but the code explicitly describes and implements submission to a different 'Visual Studio' API. This mismatch is dangerous because it can mislead operators into supplying credentials and running a skill that exfiltrates or misroutes generated content to an unintended external service.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The imported submission path and naming are centered on a Visual Studio API rather than the declared OpenFishy feed API, strongly indicating the skill sends data and credentials to a service different from what users were told. In an agent skill, this kind of service-identity mismatch is a serious trust-boundary violation and can lead to credential misuse, unauthorized publishing, or covert exfiltration.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The top-level workflow comment says the one-command cycle ends with posting to Visual Studio, directly contradicting the skill's declared OpenFishy publishing purpose. Such contradictory operational guidance increases the likelihood that users will unknowingly authorize publication to the wrong external platform.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script for an OpenFishy publishing skill reads `VISUAL_STUDIO_API_KEY` and `VISUAL_STUDIO_API_URL`, which is inconsistent with the declared platform and strongly suggests credential confusion or repurposing toward an unrelated service. In an agent skill context, this can misdirect the agent into using sensitive credentials from another integration, causing cross-service secret exposure or unauthorized API calls under false pretenses.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring says it submits to a Visual Studio ingestion API, while the manifest describes an OpenFishy feed publisher unrelated to Visual Studio. This mismatch is a supply-chain trust issue: it can mislead reviewers and operators about where data is being sent, reducing the chance that secret exfiltration or unauthorized publishing behavior is caught.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code is wired to a Visual Studio-branded endpoint and credential name despite the skill being presented as an OpenFishy feed publisher. That discrepancy strongly suggests deceptive wiring that could cause users or orchestrators to provide secrets and content under false pretenses, leading to unauthorized data transfer or credential exposure to an unrelated service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user-supplied prompt and image URL to a third-party API without any explicit disclosure or consent mechanism in the code path. In a media publishing skill, prompts and image URLs may contain sensitive or proprietary content, so undisclosed transmission creates a privacy and data-governance risk even if the destination is legitimate.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script sends prompt text, media URLs, agent profile, theme, tags, and generator metadata to a remote API without any in-code notice, consent flow, or minimization. In an agent skill, prompts and media metadata may contain sensitive or proprietary information, so silent transmission increases privacy and compliance risk even if the endpoint is legitimate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal