ClawHub
Back to skill

Security audit

今日油价查询 - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides China oil-price lookups through the Juhe API, but users should protect the Juhe API key because the documented options include plaintext and command-line storage and the script uses an HTTP query URL.

Install only if you are comfortable using a Juhe API key for oil-price lookups. Prefer the JUHE_OIL_KEY environment variable, avoid passing the key with --key, do not commit scripts/.env, and consider changing the API URL to HTTPS if Juhe supports it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad generic price-query language such as '查一下油价' and similar common utterances, which can cause the skill to activate in situations where the user did not clearly consent to using this third-party integration. Overbroad activation increases the chance of unintended data disclosure to the external API and can hijack general assistant interactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description says it uses the Juhe API, but it does not clearly warn that user-supplied city or province queries are transmitted to a third-party service for processing. This is a privacy-transparency issue because location-related user input may be sent off-platform without clear upfront disclosure at the point users choose or trigger the skill.

Credential Access

High
Category
Privilege Escalation
Content
export JUHE_OIL_KEY=你的AppKey

# 方式二:.env 文件(在脚本目录创建)
echo "JUHE_OIL_KEY=你的AppKey" > scripts/.env

# 方式三:每次命令行传入
python scripts/oil_price.py --key 你的AppKey
Confidence
78% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.