ClawHub

baidu-skill-guard

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed skill-install security checker that reads skill metadata and queries Baidu’s security service, with privacy and workflow-control caveats but no artifact-backed malicious behavior.

Install this only if you want Baidu’s service involved in your skill-install workflow. Avoid using directory or batch scans on private or unreleased skill folders unless sharing slugs, versions, inventory counts, and content fingerprints with that service is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill directs the agent to read local files and call an external security-check API via `scripts/check.sh`, but the manifest declares no permissions. This mismatch is risky because it hides effective capabilities from users and reviewers, reducing informed consent and making network/file access easier to misuse or overlook.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger logic is intentionally overbroad, multilingual, and explicitly says to trigger 'when in doubt' with false positives acceptable. That can cause this skill to intercept many normal install/check conversations, override user intent, and force unnecessary file/network operations or workflow blocking in contexts the user did not request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends skill slugs, versions, and content-derived SHA256 hashes to a remote Baidu security service during routine checks, but the code provides no consent flow, notice, minimization, or opt-out mechanism. In environments with private or unreleased skills, these identifiers and hashes can leak sensitive metadata about internal projects and enable correlation by the service operator.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script sends skill slugs, versions, and in some cases a content SHA256 fingerprint to a remote Baidu security service, but the CLI output and behavior shown here provide no explicit user disclosure or consent step before transmitting that metadata. While this is consistent with the stated purpose of a security-check skill, it still creates a privacy and data-governance issue because repository identifiers and content fingerprints may reveal proprietary or unpublished skill information to a third party.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal