ClawHub

Iflytek Text Proofread

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Chinese proofreading tool that sends user-selected text to iFlytek's API, with no evidence of hidden persistence, credential theft, or unrelated data access.

Install only if you are comfortable sending the text you proofread to iFlytek's third-party service using your own iFlytek credentials. Avoid submitting confidential, regulated, personal, or secret material unless your organization permits that data transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises and requires environment variables, file input, and outbound network access, but does not declare permissions explicitly. This weakens user and platform visibility into sensitive capabilities, especially since the skill reads local text and transmits it to a remote third-party API using stored credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that user-provided Chinese text is sent to the iFlytek proofreading API, but it does not clearly warn users that their content leaves the local environment and is transmitted to a third-party service. Because this skill is designed for proofreading official documents and potentially sensitive text, users may unknowingly submit confidential, personal, or regulated data to an external provider, creating privacy, compliance, and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages users to submit arbitrary text for proofreading but does not clearly warn that the content is sent to iFlytek's third-party API. Because the advertised use case includes official documents and long-form text, users may unknowingly transmit confidential, regulated, or sensitive material outside the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal