ClawHub

Last30Days CN

Security checks across malware telemetry and agentic risk

Overview

This research skill is mostly purpose-aligned, but it has automatic session-start execution and persistent credential/cookie handling that users should review carefully before installing.

Install only if you are comfortable with a crawler-style research tool that can contact multiple Chinese platforms, use API keys or cookies, and save reports locally. Review or disable the SessionStart hook before use, avoid installing it in untrusted projects, keep .env files private, and do not provide high-privilege personal session cookies unless you understand where they are stored and how to remove them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 58, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""Write report.json, report.md, and last30days.context.md."""
    ensure_output_dir()

    with open(OUTPUT_DIR / "report.json", "w", encoding="utf-8") as f:
        json.dump(report.to_dict(), f, indent=2, ensure_ascii=False)

    with open(OUTPUT_DIR / "report.md", "w", encoding="utf-8") as f:
Confidence
89% confidence
Finding
with open(OUTPUT_DIR / "report.json", "w", encoding="utf-8") as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 58, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
with open(OUTPUT_DIR / "report.json", "w", encoding="utf-8") as f:
        json.dump(report.to_dict(), f, indent=2, ensure_ascii=False)

    with open(OUTPUT_DIR / "report.md", "w", encoding="utf-8") as f:
        f.write(render_full_report(report))

    with open(OUTPUT_DIR / "last30days.context.md", "w", encoding="utf-8") as f:
Confidence
89% confidence
Finding
with open(OUTPUT_DIR / "report.md", "w", encoding="utf-8") as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 58, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
with open(OUTPUT_DIR / "report.md", "w", encoding="utf-8") as f:
        f.write(render_full_report(report))

    with open(OUTPUT_DIR / "last30days.context.md", "w", encoding="utf-8") as f:
        f.write(render_context_snippet(report))
Confidence
89% confidence
Finding
with open(OUTPUT_DIR / "last30days.context.md", "w", encoding="utf-8") as f:

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script reads attacker-controlled key/value pairs from .env files and interpolates them into an eval statement, which turns a configuration parser into a shell-code execution sink. A crafted value containing shell metacharacters or command substitution can execute arbitrary commands whenever the config check runs, which is far beyond the script's stated purpose of only checking readiness.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script includes a special 'setup' mode that can write configuration data to an environment/config file, which expands its capabilities beyond passive research into persistent local state modification. In an agent or skill context, file-writing setup flows can be abused to alter credentials, endpoints, or future runtime behavior, especially if invoked unexpectedly or with insufficient user consent.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The --save-dir option allows writing output to an arbitrary user-specified directory, giving the skill file-management capability beyond simple reporting. While the content written is not inherently dangerous, arbitrary path writes can overwrite or place files in sensitive locations if the skill is invoked in a broader automated environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module stores and automatically reloads per-platform browser cookies from disk under the user's home directory, enabling persistent authenticated scraping sessions across multiple sites. Cookies are authentication material; if the local files are read by another process, user, or backup/sync target, attackers could reuse live sessions or harvest account state without needing credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes crawler/XHR interception behavior and multi-platform search, including optional credentialed access, without an explicit user warning that external requests may occur and local credentials/cookies may be used. In this context, that omission is security-significant because the skill operates against anti-bot-protected services and may handle authentication material, so lack of disclosure undermines informed consent and safe operation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The specification explicitly states that research outputs are written to local files such as report.md, report.json, and last30days.context.md, but does not warn users that potentially sensitive queries, scraped content, or derived analysis will persist on disk. In a research tool that may process confidential topics or regulated data, silent persistence increases the risk of unintended disclosure to other local users, backups, sync services, or downstream tools.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The spec describes loading API keys and cookies from multiple config and environment locations, but does not include a privacy/security notice about how those credentials are used, what services they authenticate to, or whether they may be sent to third-party platforms. For a multi-platform scraping and research skill, undisclosed credential usage can lead to accidental over-sharing, misuse of personal session cookies, or operator confusion about trust boundaries.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt is broad and generic, asking for research on any topic across multiple Chinese platforms without constraining subject matter, allowed behaviors, or disallowed categories. In combination with agent ecosystems that support automatic routing, this increases the chance of unintended invocation for sensitive, risky, or privacy-impacting topics and can cause the skill to be used outside its intended research scope.

Vague Triggers

High
Confidence
95% confidence
Finding
Enabling implicit invocation without activation boundaries means the skill may be auto-selected whenever a user asks for recent research or trend analysis, even if they did not intend to use this specific high-reach multi-platform crawler. Because the skill targets numerous external platforms and appears optimized to bypass scraping friction, accidental or overbroad invocation can amplify compliance, privacy, and misuse risks.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The empty matcher causes this SessionStart hook to run for every session, making the command execution path globally active instead of scoped to specific contexts. Because the hook launches a shell command at session start, any mistake, compromise, or unsafe behavior in the referenced script affects all uses of the skill and increases the attack surface.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script sends user-supplied topics to multiple third-party platforms and APIs, but does not provide an explicit warning that the query will be transmitted externally. In a research skill, this creates a privacy and data-handling risk because sensitive topics may be disclosed to external services unexpectedly, amplified here by the number of destinations contacted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code places the Weibo access token directly into the query string, which is risky because URLs are commonly logged by application logs, proxies, browser tooling, monitoring systems, and exception traces. Although the token is sent to the intended Weibo API over HTTPS, embedding secrets in URLs increases the chance of credential leakage beyond the immediate request path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal