ClawHub

道历查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform calendar lookups, but it uses an API key in URL-based network calls and has overly broad wording that could trigger it for unrelated requests.

Review before installing. Use this only for Taoist calendar/date lookups, use a low-scope Jike AppKey, avoid logging or sharing full request URLs, and do not set JIKE_API_BASE_URL unless it points to a trusted HTTPS Jike endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'url' from os.environ.get (line 113, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""
    url = f"{API_BASE_URL}{API_PATH}?{urllib.parse.urlencode({'date': date_value, 'appkey': appkey})}"
    try:
        with urllib.request.urlopen(url, timeout=15) as response:
            return json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence
94% confidence
Finding
with urllib.request.urlopen(url, timeout=15) as response:

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description says the skill is suitable for 行情查询 (market/quote queries), but the documented behavior only supports Taoist calendar lookup. This mismatch can cause the agent to invoke the skill in unrelated contexts, leading to user confusion, improper tool selection, and unintended transmission of dates or API usage to a third-party service when no relevant market function exists.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description uses broad invocation language such as applying to related data/date queries or market queries, which increases the chance of accidental invocation outside its narrow purpose. In an agent environment, overly broad triggers can route unrelated user requests into a tool that sends data to an external API, expanding privacy and security exposure unnecessarily.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown instructs users to place the API key directly in the URL query string. Query-string credentials are commonly logged by clients, proxies, servers, browser history, and observability systems, which creates a clear credential exposure risk far beyond the immediate request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal