ClawHub

onebot

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OneBot/QQ message-sending helper, but it gives broad instructions for outbound messaging and token use without enough confirmation or scoping.

Review before installing. Use this only if you want the agent to help send QQ messages through your OneBot/NapCat service. Require explicit confirmation of recipient or group ID, message body, endpoint, and token before any send, do not reuse the example token, and avoid letting the skill inspect unrelated Docker or local network services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to verify localhost and container IPs to discover the NapCat service, which expands behavior from sending messages into host and container network reconnaissance. Even if intended for setup convenience, this can expose internal topology and authorize probing of services the user did not explicitly ask to inspect.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad and overlap with common conversation such as 'notify', 'tell someone', or 'send a message', making accidental activation likely. In this skill's context, a misfire can cause unintended external message transmission to QQ users or groups, which is a real security and privacy risk rather than a purely UX issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to send data through curl to the OneBot HTTP API without clearly warning the user that this performs an external transmission and may notify third parties. Lack of disclosure increases the chance that users unintentionally cause outbound communications containing sensitive or private information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill references an Authorization bearer token and demonstrates embedding a concrete token value in command examples without adequate warning about credential sensitivity. This creates a strong risk of secret leakage through logs, transcripts, screenshots, or command history, and the token could be reused to access or abuse the messaging service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal