ClawHub

大象沟通日报

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can automatically collect, cache, and reproduce sensitive workplace chat messages with weak consent, scoping, and retention controls.

Install only if you trust the publisher and are authorized to process the Daxiang chats involved. Treat generated JSON and Markdown files as sensitive chat records, use a private output directory, avoid the generic trigger and cron unless ongoing collection is intended, and prefer redacted or aggregate-only reports where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Tainted flow: 'message_file' from os.environ.get (line 311, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
if messages:
                    # 保存到文件
                    DATA_DIR.mkdir(parents=True, exist_ok=True)
                    with open(message_file, "w", encoding="utf-8") as f:
                        json.dump(messages, f, ensure_ascii=False, indent=2)
                    print(f"   数据已保存到: {message_file}")
                    return messages
Confidence
88% confidence
Finding
with open(message_file, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises only report generation, yet the analysis indicates operational capabilities such as environment access, file read/write, and shell usage without declared permissions. Hidden or undeclared capabilities reduce transparency and can enable broader data access or command execution than users expect, especially when handling sensitive chat data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a true security and privacy issue because the described behavior goes beyond passive local report generation: it may invoke an external DX CLI, pull chat history when local files are absent, persist raw messages to JSON, and include near-complete message details in output. That materially changes the trust boundary by collecting, storing, and exposing private communications beyond the user's likely expectation from the description.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
When the local file is missing, the skill silently escalates from report generation to bulk collection of private and group chat history through DX CLI. That exceeds the stated behavior and can cause unauthorized data access and storage, especially because users may expect analysis of provided data rather than active retrieval of all conversations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill executes an external CLI to enumerate sessions and download message history, which gives it access to significantly more data than a simple reporting function implies. In skill context, this hidden capability is dangerous because it can collect sensitive communications from both direct and group chats without a narrow need-to-know boundary.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The report rendering exposes per-message conversational content and participant names, not merely aggregated activity summaries. In this skill's context, that materially increases the chance of leaking sensitive personal or business information through generated artifacts that may be shared or stored broadly.

Vague Triggers

High
Confidence
97% confidence
Finding
Using a generic trigger phrase like "report" can cause the skill to activate in unrelated conversations, leading to unintended collection or summarization of internal chat data. In the context of a skill that handles private communications, accidental invocation materially increases privacy and data exposure risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README describes collecting and summarizing internal communication records but does not present a clear privacy notice, consent model, retention policy, or sensitive-data handling warning. Because the skill processes internal chat content, missing these safeguards can result in unauthorized processing, oversharing, and compliance violations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill processes highly sensitive chat logs and appears designed to surface detailed interpersonal communications, yet it provides no privacy warning, consent language, or data-handling disclosure. Users may unknowingly expose private or third-party messages in generated reports, creating confidentiality, compliance, and insider-risk issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically fetches private and group histories without presenting any privacy warning, consent checkpoint, or retention notice. Because the skill handles inherently sensitive communications, the lack of transparency and user control makes accidental overcollection and misuse substantially more dangerous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Raw fetched messages are written to disk as JSON without warning the user that full conversation contents are being persisted locally. Stored chat archives create durable exposure: other local processes, backups, or future users of the machine may access sensitive content long after report generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The generated markdown report contains summaries and excerpts from conversations but gives no sensitivity warning or handling guidance. Reports are easier to forward and index than raw chat exports, so turning sensitive dialogs into a portable document increases disclosure risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The README explicitly says the skill extracts key dialogue content and presents complete communication record tables, which encourages broad disclosure of internal chat material. A reporting tool that reproduces raw message content can expose confidential business information, personal data, and sensitive workplace communications far beyond what is necessary for summarization.

Ssd 3

High
Confidence
99% confidence
Finding
The sample report includes speaker names, timestamps, and exact private message contents, demonstrating that the skill may generate reports containing verbatim internal communications. This creates a concrete risk of sensitive-data leakage if the report is stored insecurely, shared too broadly, or triggered without proper authorization.

Ssd 3

Medium
Confidence
95% confidence
Finding
The version history's emphasis on "complete display of all messages" reinforces an intentional design choice to maximize disclosure rather than minimize it. In a skill operating on internal communications, this increases the likelihood of over-collection and unnecessary retention of sensitive chat content.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction to reproduce each contact's full message contents is directly dangerous because it transforms a summarization workflow into bulk disclosure of raw private communications. In the context of workplace or personal messaging, this can leak sensitive personal data, confidential business information, credentials, or legally protected content to anyone with access to the report.

Ssd 3

High
Confidence
99% confidence
Finding
The script collects private and group messages, extracts TODO-like requests, and reproduces message-derived content in a report. In a communications-reporting skill, that creates a real sensitive-data exposure risk because highly personal or confidential business content is processed and re-presented outside the original chat system.

Ssd 3

High
Confidence
99% confidence
Finding
Rendering raw conversational text alongside named participants materially increases the chance of exposing personal data, confidential discussions, and internal project details. The skill context makes this worse because users may treat generated reports as harmless summaries and share them more broadly than original chat logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal