ClawHub

Cultural Relics Guide

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate museum narration generator, but it stores API credentials locally and sends prompt content to the model API provider the user configures.

Install only if you are comfortable storing a model API key in a local JSON file and sending relic names, audience descriptions, and optional questions to the API endpoint you configure. Use a trusted HTTPS provider, prefer a limited-scope API key, avoid entering private or unpublished information, and be aware that broad trigger phrases may activate the skill for generic Chinese introduction or explanation requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'output_file' from input (line 228, user input) → open (file write)

Medium
Category
Data Flow
Content
output_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
    output_file = os.path.join(output_dir, f"讲解词_{relic_name}.txt")
    
    with open(output_file, "w", encoding="utf-8") as f:
        f.write(narration)
    
    return output_file
Confidence
97% confidence
Finding
with open(output_file, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly describes capabilities to read local configuration files, write output files, and send outbound network requests, yet it declares no permissions or equivalent user-facing warning about those actions. This can mislead users about the skill’s access and data flows, especially because it handles API credentials and transmits user-provided content to external endpoints.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill behavior exceeds its stated purpose by persisting API credentials and generated content to local storage, but this is not clearly disclosed in the described functionality. Hidden credential persistence increases security risk because users may provide sensitive API keys without realizing they will be stored on disk, potentially in plaintext depending on utils.save_user_config().

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains very common phrases such as '介绍', '讲解', and '说一下', which are likely to appear in normal conversation unrelated to this skill. Over-broad activation increases the chance the skill runs unexpectedly and causes unintended file access, credential use, or external API calls without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to place API credentials in a local config file and the skill uses those credentials for outbound API requests, but it does not clearly warn about storage sensitivity or transmission behavior. Users may unknowingly expose secrets or route data to third-party endpoints they do not fully trust.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script prompts for an API key and saves configuration without any explicit warning about secret handling, storage location, or whether the key is persisted securely. This creates a realistic risk of credential exposure, especially on shared systems or if the config file is stored in plaintext, committed to source control, or readable by other users.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
User profile details and free-form questions are sent to an external API, but the script does not clearly disclose this data transfer before transmission. Because free-form questions can contain personal or sensitive information, undisclosed third-party transmission creates privacy and compliance risk beyond the core narration feature.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The relic name and assembled generation prompt are transmitted to an external API without an explicit privacy or network-transmission warning. In this skill context the data is usually low sensitivity, but some museum or curation workflows may involve unpublished exhibit information, making silent external transmission an avoidable data-governance risk.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
84% confidence
Finding
The trigger '讲解' is extremely short and generic, making accidental activation likely in ordinary conversation. In this skill’s context, unintended activation can cascade into local config access and outbound API use, increasing privacy and operational risk.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
84% confidence
Finding
The trigger '介绍' is broad common speech and can match many unrelated requests. Because the skill performs credential-backed network operations, accidental invocation is more risky than for a purely local, read-only skill.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
82% confidence
Finding
The trigger '说说' is vague conversational language with high likelihood of unintended matching. Even if the resulting action is not immediately destructive, unnecessary activation can leak user content to third-party APIs or create unwanted files.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
83% confidence
Finding
The trigger '解说' is generic and can overlap with normal dialogue, making false activation plausible. Given the skill’s described network and file behaviors, this broad trigger increases the chance of unintended external transmission or credential usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal