ClawHub

Dao3 Statistics

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at DAO3 data queries, but it exposes broad authenticated raw API access that users should review before installing.

Install only if you need DAO3 API access and are comfortable with a skill that can make authenticated requests beyond the named query commands. Use a minimally scoped DAO3 token if available, avoid passing secrets directly on the command line, and do not use the raw endpoint unless you understand exactly which DAO3 path will be called and what account data it may return.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly requires networking and documents many remote API calls, but the manifest does not declare corresponding permissions. This weakens sandboxing and reviewer visibility, making it easier for a data-access skill to perform outbound requests without transparent consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented raw command materially expands behavior beyond the stated purpose of querying specific DAO3 data and statistics by allowing requests to arbitrary upstream API paths. When combined with optional token and user-agent headers, this becomes a general authenticated API proxy that can reach undocumented or sensitive endpoints.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The raw feature permits direct access to arbitrary DAO3 API endpoints rather than only the enumerated read operations described elsewhere in the manifest. This broadens the attack surface to undocumented APIs and can expose private account data when credentials are supplied.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
An endpoint-proxy primitive is broader than necessary for a statistics/query skill and creates a capability mismatch: the skill can be repurposed for generic upstream API exploration. Even if limited to one host, this still enables access to functions and data classes not anticipated by users or reviewers.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to provide scoped Dao3 data queries and statistics, but the raw subcommand exposes a generic endpoint fetch primitive that can access arbitrary API paths. That materially expands capability beyond the declared purpose, enabling unauthorized or unreviewed access patterns and making policy bypass or data over-collection much easier, especially when paired with supplied authentication tokens.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Arbitrary-endpoint access is not justified by the declared use case of fetching specific profile, map, message, and statistics data. In an agent-skill context, this broad primitive can be repurposed to probe undocumented endpoints, retrieve unrelated sensitive data, or bypass higher-level guardrails that only reason about the named commands.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The raw_get function allows callers to supply any endpoint string, effectively turning this skill into a generic proxy to the DAO3 API rather than a narrowly scoped statistics/query client. In a skill that can also attach authentication headers, this broadens access beyond the documented purpose and can expose unintended authenticated endpoints, increasing the chance of data overreach or abuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
An arbitrary endpoint accessor is not justified by the stated skill purpose, which describes specific DAO3 profile, map, comment, and statistics queries. Because the helper can reach unspecified endpoints and optionally send user credentials, it expands the operational scope of the skill into a general authenticated API caller, undermining least privilege and creating a path to retrieve or manipulate unrelated data if the backend permits it.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation language is overly broad and says DAO3-related requests should preferentially trigger this skill even when the user does not explicitly mention DAO3. That increases the chance of unnecessary invocation, causing unsolicited network access or prompting for sensitive credentials in situations where a narrower skill would suffice.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to provide a DAO3 token and user-agent for authenticated queries but does not include safeguards, minimization guidance, or warnings about private account data exposure. In a skill that can access messages, statistics, and other account-linked information, missing credential-handling guidance materially increases the risk of sensitive data leakage or misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The raw endpoint capability can send user-supplied authentication material to arbitrary API paths without warning about the privacy implications. Because the feature can target undocumented authenticated endpoints, it may retrieve or expose sensitive account data beyond the user's expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Accepting authentication tokens on the command line can expose them through shell history, process listings, job control tools, audit logs, and agent telemetry. In this skill context the risk is heightened because the token unlocks authenticated Dao3 message/statistics endpoints, so leakage could directly enable access to private account data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal