ClawHub

手机号码归属地查询 - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised phone-number lookup, but it sends phone numbers and the Juhe API key through an unencrypted HTTP request.

Review before installing. Only query numbers you are allowed to send to Juhe, prefer an HTTPS endpoint if Juhe supports it, avoid passing the API key with --key because it can land in shell history, and consider rotating the key if it has been used over untrusted networks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill handles phone numbers, which are sensitive personal data, and sends them to a third-party API for lookup, but the user-facing guidance does not clearly warn users before transmission. This creates a privacy risk because users may provide personal or others' phone numbers without informed consent about external disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends both phone numbers and the API key to a third-party service using plain HTTP, which exposes the request to interception or modification by any network attacker on the path. Because the data includes personal phone data and a reusable credential, this creates a real confidentiality and integrity risk rather than a cosmetic issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal