ClawHub

MAL-Updater

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed anime-to-MyAnimeList sync tool that needs credentials, network access, local state, and optional user-level background service behavior to do its job.

Install only if you want a local tool to store MAL and provider auth material, read provider watch data, and potentially run a user-level daemon that writes approved updates to MyAnimeList. Keep `.MAL-Updater/secrets` and `.MAL-Updater/state` private, avoid sharing status/service/log output or OAuth verifier text, run dry-run/review flows first, and review the systemd service before enabling unattended operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of shell, file read/write, environment-variable access, and network operations, but it declares no corresponding permissions. This creates a transparency and policy-enforcement gap: operators and any permission-gating framework cannot accurately assess or constrain what the skill may do, especially since it handles credentials, runtime state, and live provider/MAL synchronization.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The function treats any string-valued session_phase as evidence of an auth-style failure instead of checking whether it matches the explicitly enumerated AUTH_STYLE_SESSION_PHASES. This can misclassify unrelated session states as authentication failures, causing incorrect recovery actions such as token refreshes, credential retries, or unnecessary rebootstrap flows in a component that handles account synchronization and auth state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs operators to persist MAL OAuth access/refresh tokens under a runtime secrets directory, but it does not explicitly warn that these tokens are sensitive bearer credentials whose disclosure enables account access until revoked or expired. In an onboarding guide, omission of explicit handling guidance increases the chance that users store tokens in weakly protected locations, back them up insecurely, or expose them via logs or permissive filesystem permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to stage provider usernames/emails and passwords in the runtime secrets directory, but lacks a direct warning that this may involve plaintext credential storage and associated compromise risk. Because these are primary credentials for third-party services, mishandling could lead to account takeover, credential reuse exposure, or leakage through backups, permissions, shell history, or operational troubleshooting artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The status command prints detailed filesystem locations for usernames, passwords, refresh tokens, access tokens, and service state files. While it does not print secret values, exposing exact secret paths materially lowers the effort needed for local credential theft, log leakage, or follow-on targeting in shared terminals, CI logs, support bundles, or agent output.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The OAuth helper prints the PKCE code verifier directly to stdout without an explicit warning or safer handling. In agent, shell-history, terminal logging, or CI contexts, stdout is often captured, and possession of the verifier can undermine the confidentiality of the in-progress OAuth flow if the authorization code is also exposed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persistently logs full request metadata including URL and error text to disk. URLs and error messages often contain sensitive data such as query parameters, identifiers, tokens, or upstream response details, so this can create a local information disclosure risk if logs are accessed by other users, backups, or support tooling. In this skill's context, which handles multi-provider sync/auth and host operations, retaining provider request details makes the issue more concerning because auth-related endpoints or error payloads may expose account-specific information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal