ClawHub

我的文学时刻.skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed diary-writing assistant with optional photo metadata support, but users should understand it can read photo EXIF location data and may install Python image libraries if enabled.

Install only if you are comfortable with a journaling assistant processing personal text and optional photo metadata. Strip EXIF from photos first if location privacy matters, and prefer installing dependencies yourself with requirements.txt instead of allowing runtime auto-install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}

    try:
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--quiet",
             "pillow>=10.0.0", "pillow-heif"]
        )
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--quiet", "pillow>=10.0.0", "pillow-heif"] )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not auto:
                return "pillow-heif not installed; HEIC/HEIF unsupported"
            try:
                subprocess.check_call(
                    [sys.executable, "-m", "pip", "install", "--quiet", "pillow-heif"]
                )
                from pillow_heif import register_heif_opener
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--quiet", "pillow-heif"] )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell/Python capabilities despite declaring no permissions, which creates an undeclared execution surface. In this context, those capabilities are used to process user-supplied photo paths and may access local files or system metadata unexpectedly, increasing both privacy and integrity risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a writing assistant but also performs EXIF extraction, GPS parsing, system metadata access, and optional package installation. This mismatch is dangerous because users may share photos expecting only writing help, not hidden metadata processing or environment modification, leading to privacy exposure and unsafe runtime behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The claim 'only ask, only write' is contradicted by instructions to inspect image metadata and potentially modify the environment by installing dependencies. This can mislead users and operators about the skill's actual capabilities, making consent and review ineffective.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic package installation is not necessary for a diary-writing workflow and expands the attack surface by changing the runtime environment at execution time. Even when intended as convenience, dynamic installs can introduce supply-chain risk, break sandbox assumptions, and violate least-privilege expectations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The helper script performs image metadata extraction, GPS parsing, and chronological reordering even though the skill is presented as a listener/writer that only asks and writes without fabrication. This capability mismatch is dangerous because it broadens access to sensitive photo metadata beyond what users would reasonably expect from the advertised skill behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script parses and returns precise GPS coordinates from image EXIF data. For a literary journaling skill, this is a materially more dangerous capability because it can reveal home, work, travel routes, or other sensitive location history without an obvious functional necessity.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Allowing the skill to install Python packages at runtime adds execution and outbound package-fetch capability that is unjustified for the stated literary purpose. In this context, the mismatch makes the behavior more suspicious and more dangerous because users would not expect a journaling helper to modify the runtime environment or retrieve code from the network.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
The script invokes a platform metadata utility to inspect files, which is broader system-interaction capability than the skill description suggests. While not inherently malicious, this increases privacy exposure and hidden file-inspection behavior in a context where users expect text assistance rather than OS-level metadata collection.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises automatic activation on broad, everyday phrases such as writing a diary, recording today, travel memories, life fragments, and inner monologue. In an agent environment, overly broad trigger conditions can cause unintended routing of unrelated conversations into this skill, exposing sensitive personal content, disrupting intended workflows, and increasing the chance that attached photo metadata or emotional journaling content is processed when the user did not explicitly consent to this skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The English section repeats the same keyword-driven auto-activation model without clear constraints, so the ambiguity is not limited to one language path. Because this skill is designed for introspective writing and may use photo EXIF as contextual input, accidental activation is more dangerous than in a low-sensitivity utility skill: it can steer personal conversations into collection, interpretation, and persistence of emotionally sensitive material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill extracts EXIF metadata including GPS/location-related fields from user photos without an explicit privacy warning or opt-in. Photo metadata can reveal sensitive location and device details that users may not realize are embedded, making this a meaningful privacy risk in a journaling context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatic pip installation occurs without any visible user-facing warning or confirmation at the point of use. This is dangerous because it changes the environment and downloads executable code implicitly, violating least surprise and reducing opportunities for users or administrators to assess risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This block auto-installs Pillow and pillow-heif without explicit disclosure in the code path that handles normal execution. The danger is not just package installation itself, but the hidden nature of downloading and executing third-party code in a skill that users perceive as a simple journaling assistant.

Ssd 3

Medium
Confidence
74% confidence
Finding
The skill instructs the model to preserve and reuse user-provided details in the final diary output, which can amplify disclosure of sensitive personal information the user may share during an emotional journaling session. In this context, the skill is explicitly designed to solicit intimate experiences, so indiscriminate retention increases privacy harm if the output is stored, shared, or viewed by others.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal