ClawHub

Last30days Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real research skill, but it automatically uses local X browser session cookies and stores raw research data locally in ways users should review first.

Install only if you are comfortable with the skill reading X/Twitter browser session cookies for authenticated search, sending your research topics to the listed providers, and keeping reports/raw responses locally. Avoid sensitive or confidential topics unless you first disable cookie-based X search and review or clear the output/cache/database files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (51)

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
ensure_output_dir()

    # report.json
    with open(OUTPUT_DIR / "report.json", 'w') as f:
        json.dump(report.to_dict(), f, indent=2)

    # report.md
Confidence
93% confidence
Finding
with open(OUTPUT_DIR / "report.json", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
json.dump(report.to_dict(), f, indent=2)

    # report.md
    with open(OUTPUT_DIR / "report.md", 'w') as f:
        f.write(render_full_report(report))

    # last30days.context.md
Confidence
93% confidence
Finding
with open(OUTPUT_DIR / "report.md", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
f.write(render_full_report(report))

    # last30days.context.md
    with open(OUTPUT_DIR / "last30days.context.md", 'w') as f:
        f.write(render_context_snippet(report))

    # Raw responses
Confidence
93% confidence
Finding
with open(OUTPUT_DIR / "last30days.context.md", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# Raw responses
    if raw_openai:
        with open(OUTPUT_DIR / "raw_openai.json", 'w') as f:
            json.dump(raw_openai, f, indent=2)

    if raw_xai:
Confidence
96% confidence
Finding
with open(OUTPUT_DIR / "raw_openai.json", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
json.dump(raw_openai, f, indent=2)

    if raw_xai:
        with open(OUTPUT_DIR / "raw_xai.json", 'w') as f:
            json.dump(raw_xai, f, indent=2)

    if raw_reddit_enriched:
Confidence
96% confidence
Finding
with open(OUTPUT_DIR / "raw_xai.json", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
json.dump(raw_xai, f, indent=2)

    if raw_reddit_enriched:
        with open(OUTPUT_DIR / "raw_reddit_threads_enriched.json", 'w') as f:
            json.dump(raw_reddit_enriched, f, indent=2)
Confidence
96% confidence
Finding
with open(OUTPUT_DIR / "raw_reddit_threads_enriched.json", 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares broad capabilities via metadata and instructions but lacks an explicit permissions model describing or constraining its access to environment variables, filesystem, network, and shell. This makes trust decisions harder for users and platforms, and increases the risk of over-privileged execution if the skill is installed or invoked in a sensitive environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill presents itself as a transient research helper, but the documented behavior includes persistent SQLite storage, watchlist automation, archived briefings, cost tracking, deployment/sync into agent directories, and use of browser cookies or ambient credentials for X access. This mismatch can cause users to authorize the skill under false assumptions, leading to unexpected data retention, credential use, local propagation, and expanded attack surface.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The plan expands a research skill into one that can install software and execute local commands, which materially broadens its capabilities beyond passive information retrieval. That increases attack surface because an agent following this plan could modify the host environment and invoke external binaries without strong trust, consent, or sandboxing controls.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documented `npm install -g @steipete/bird` performs a global package installation, changing the user's system state and trusting a third-party package supply chain. For a skill whose stated purpose is research, that is an unjustified privileged action and could expose users to package compromise, persistence, or unintended environment changes.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Using subprocesses for Bird and npm introduces local command execution capability that is broader than the declared research-only behavior. Even though the commands are hardcoded in the plan, this design creates a pathway for environment interaction, external binary trust, and operational misuse if the agent or surrounding code is later extended unsafely.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The design explicitly proposes prompting the user to run a global npm installation of a third-party CLI that is not necessary to fulfill the core research function. Installing software modifies the user's environment and expands the trust boundary to package registries and package maintainers, creating avoidable supply-chain and system-integrity risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The design depends on shelling out to local executables (`which`, `bird`, `npm`) for detection, authentication checks, installation, and search operations. This broadens the skill's behavior from research into local system interaction, increasing the risk of unsafe command execution patterns, PATH hijacking, and unexpected side effects if binaries are replaced or maliciously shadowed.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
The plan introduces `variants/open/context.md` as agent memory in a skill whose stated purpose is recent-topic research, creating unnecessary data retention beyond the core function. Unjustified memory storage can accumulate sensitive prompts, preferences, or research history and later expose them through logs, prompts, or local file access.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The tool is described as researching only the last 30 days, but the code explicitly exempts YouTube results from the hard date filter and allows older content to remain. This creates a semantic integrity issue: users may act on stale information while believing all outputs satisfy the advertised recency constraint.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Persisting raw OpenAI, xAI, and enriched Reddit payloads exceeds the minimally necessary data handling for a research-rendering feature and creates unnecessary retention of potentially sensitive data. This broadens the exposure surface if local storage is compromised, shared, or redirected via the environment override.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code resolves live X/Twitter authentication material from CLI args, environment variables, and—most notably—local browser cookie stores, then assembles a reusable Cookie header. That is a credential-access capability that exceeds the stated purpose of a 'research last 30 days' skill and could enable account impersonation, unauthorized scraping, or takeover of the user's authenticated session.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The functions call a library to read cookies directly from Safari, Chrome, and Firefox for x.com/twitter.com and select the auth_token and ct0 values. These cookies are sufficient to reuse an existing logged-in web session, so harvesting them creates a direct path to unauthorized access as the user.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is explicitly marketed as researching the last 30 days, but the code intentionally keeps older results when there are too few recent videos. That creates a trust and integrity problem: downstream users may act on stale information while believing it is current, which is especially risky for time-sensitive research workflows.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly expands scope from a last-30-days research tool to 'ANY topic,' which conflicts with the declared purpose and can cause the agent to operate outside user and platform expectations. This increases the chance of collecting stale, irrelevant, or overbroad information and undermines downstream behaviors that assume recent, time-bounded research.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The web supplement step suggests broad and fixed-year queries like '2026' rather than enforcing a rolling last-30-days window, so the agent may retrieve content far outside the intended recency boundary. In a skill whose safety and usefulness depend on freshness, this creates a specification-integrity problem and can mislead users about how current the results are.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is explicitly open-class and marketed for arbitrary trending/current-event topics, which creates very broad activation scope and increases the chance it will be invoked in unintended contexts. In an always-on or bot-integrated environment, broad triggers can cause accidental research on sensitive topics, unreviewed outbound queries to third parties, and context leakage beyond what a user expected.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The watchlist examples use natural-language phrases like 'watch my biggest competitor every week' and 'what have you found about AI video?' without clear command boundaries, making it easier for an agent to misclassify ordinary conversation as an action request. In always-on or cron-backed deployments, that ambiguity can lead to unintended persistence, scheduled execution, and repeated outbound collection on topics the user did not mean to track.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises research on "ANY topic" and accepts bare "[topic]" input, creating a trigger scope broad enough to overlap with normal conversation. In an agent environment, this can cause unexpected activation and unintended tool use, including web searches and script execution, when the user did not explicitly intend to invoke the skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The specification explicitly states that the skill sends user-supplied topics to OpenAI and xAI APIs and writes raw responses plus derived reports to persistent local files, but it does not include any user-facing disclosure, consent prompt, or guidance about handling sensitive topics. This creates a real privacy and data-handling risk because users or downstream skills may unknowingly transmit confidential information to third parties and retain it on disk beyond the immediate session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal