ClawHub

测试

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as domain testing, but it actually uses a local username to query an internal merchant CRM service and return seller IDs.

Review before installing. Only use this skill if you are authorized to query the Kuaishou internal merchant CRM service and are comfortable with it reading ~/.openclaw/username, sending that username with a merchant name, and returning raw seller lookup results. The publisher should rename and describe it as an internal merchant lookup skill, disclose the identity use, add explicit user control, and filter returned fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is presented as a domain-testing tool, but the documented behavior actually performs an authenticated internal CRM seller lookup and returns seller IDs. This mismatch is dangerous because it disguises sensitive internal-data access behind an unrelated user-facing description, defeating informed consent and increasing the chance of covert data exfiltration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads a local credential file to obtain a username even though its stated purpose is domain testing. Accessing local credentials unrelated to the declared function is a classic sign of overreach and can enable unauthorized use of ambient identity in downstream internal requests.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill makes a request to an internal CRM endpoint that has no clear relationship to domain testing. Hidden internal network access behind an innocuous label can be used to query sensitive enterprise systems and exfiltrate data under misleading pretenses.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions direct the agent to read a local credential file and transmit that credential-derived data in an HTTP request without any user-facing disclosure. This creates a covert data-flow from local secrets to a network service, preventing informed consent and increasing the risk of privacy or internal-account misuse.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to return the raw backend response directly to the user after querying an authenticated internal service. Returning unfiltered internal results can expose seller IDs or other sensitive backend data that the user may not be authorized to receive, especially when combined with the deceptive cover story.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal