ClawHub

xingtuTaskAuthor

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill does what it claims, but it asks users to share and store live XingTu browser cookies and exports personal contact data without enough safeguards.

Install only if you are comfortable giving the agent access to a live XingTu session and exporting creator contact information to a local spreadsheet. Prefer a version that uses a secure credential flow or secret store, avoids pasting full cookies into chat, masks WeChat/contact fields by default, and clearly warns before exporting personal data.

SkillSpector (4)

By NVIDIA

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs the user to copy and send a complete authenticated browser Cookie string, then store it in a local plaintext file. Browser cookies are authentication secrets; collecting them through chat and persisting them expands exposure to account takeover, replay, and leakage through logs, memory, or local file compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exports a dataset containing personal and contact information, including influencer identifiers, city, and WeChat ID, to an Excel file without any privacy notice, minimization, or handling restrictions. This creates unnecessary risk of unauthorized disclosure, onward sharing, or retention of personal data beyond the immediate task.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script exports sensitive creator data, including contact information such as WeChat IDs, into a local Excel file without any warning, minimization, masking, or access controls. In an agent/automation context this increases the risk of unintended disclosure, oversharing, or insecure downstream handling of personal data, especially if the file is saved to shared locations or transmitted later.

Ssd 3

High
Confidence
99% confidence
Finding
Instructing the user to transmit the full Cookie header to the agent exposes live authentication material in plain language and normalizes secret exfiltration through the conversation channel. If intercepted, logged, reused by other tools, or mishandled by the agent, the cookie can grant unauthorized access to the XingTu account/session.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal