ClawHub
Back to skill

Security audit

Zshijie Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill matches its publishing purpose, but it needs Review because it stores a reusable login session and can use it for live account publishing/editing with weak guardrails.

Install only if you intend to let OpenClaw publish or edit Z视介 content. Review the exact JSON payload, account, target article_id, media URLs, and host before every publish/edit action; avoid non-default hosts unless trusted; treat the session file like a password and delete or rotate it when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly drives local scripts that read and write session files, generate QR assets, invoke shell commands, and make authenticated network requests, yet the skill metadata does not declare any permissions. This creates a transparency and consent problem: a user or hosting platform may not realize the skill persists authentication material locally and can perform networked publish actions on their behalf.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The request builder accepts absolute operation URLs and also allows callers to override the base URL, so the CLI can be redirected to arbitrary hosts instead of the intended Z视介 endpoints. In a skill that stores session identifiers and performs authenticated publishing actions, this increases the risk of SSRF-like behavior, credential leakage, and accidental transmission of authenticated requests to attacker-controlled infrastructure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text is broad and combines multiple activation cases such as posting, editing, processing uploaded HTML docs, and packaging for ClawHub. Overbroad activation can cause the skill to run in contexts the user did not intend, increasing the chance of unnecessary login prompts, session reuse, or accidental publication workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it saves and reuses a local sessionId and keeps it in both headers and cookies, but it does not prominently warn users that this credential-like token persists on disk and can authorize future actions. In context, this is more dangerous because the skill performs authenticated publishing and editing against a real platform, so silent session persistence can enable unintended account actions if the local environment is shared or compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage guidance instructs operators to persist an extracted `sessionId` locally, but does not warn that this value is effectively an authenticated session credential. Anyone who can read the session file can likely replay the token to publish or edit content as the user, especially since the CLI also sends it as both a header and cookie for compatibility.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs the skill to persist and later reuse a live authenticated sessionId, which is effectively a bearer credential for the user's publishing account. If stored insecurely, logged, or exposed to other tools or users on the system, it could enable unauthorized publishing or editing without requiring the user to re-authenticate.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill enables authenticated publish and edit operations against a live creator account but the documentation contains no explicit warning that these actions modify real remote content. In an agent setting, missing warnings and confirmation expectations increase the risk of accidental or unauthorized posting, especially because the same sessionId is reused for state-changing API calls.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.