ClawHub

Youxinpai Reconciliation

Security checks across malware telemetry and agentic risk

Overview

This skill is related to reconciliation work, but it can modify local project files and trigger internal data jobs and SQL using an existing corporate session without a clear final approval step.

Install or run this only if you are authorized to operate the internal task and SQL pages and to modify the local yxp_oms_web project. Confirm the target month, review the exact local file changes, and require an explicit approval before triggering tasks or running SQL. This is not evidence of theft or malware, but it should be reviewed before use because it can change local files and production-adjacent data workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill states it only triggers pre-reconciliation tasks and reports results, but it also instructs the agent to modify a local configuration file, edit Java test code, run a unit test, and later execute SQL. This mismatch hides materially more powerful and state-changing actions than the declared scope, increasing the chance that an operator authorizes it without understanding the local-system and data-plane impact.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The metadata describes a task focused on batch-searching and triggering data warehouse jobs, but the workflow additionally requires editing and executing SQL. That is a scope expansion from operational orchestration into direct query modification/execution, which can affect data systems in ways not communicated by the skill description.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
For a skill whose stated purpose is triggering reconciliation prerequisite tasks, directing the agent to alter local source/configuration and execute a unit test is context-inappropriate and risky. These actions can change developer environment state, redirect service traffic via host changes, and introduce unintended side effects unrelated to merely checking or triggering remote jobs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to perform system- and data-affecting actions—editing local config, changing test source, running a unit test, and editing/running SQL—without any explicit warning or consent checkpoint. In this context, the absence of a clear warning is dangerous because users may expect a low-risk task trigger, not local environment mutation and direct query execution against enterprise systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script programmatically clicks the run control and the confirmation button for matched tasks with no explicit user acknowledgement, preview, or secondary safety check. In an operations console, this can trigger production data jobs on the wrong rows if the DOM match is imperfect, the UI changes, or the user did not intend immediate execution, creating integrity and availability risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal