ClawHub
Back to skill

Security audit

🎯 BigFocus · 追踪管家(商品价格·明星动态·行业追踪·自定义指标)| Personal Price, Celebrity & Industry Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real tracking/alerting tool, but it needs review because it can persist trackers, run scheduled web checks, and send notifications with unclear consent and scoping.

Install only if you are comfortable with a local tracker that may contact external sites and run recurring checks. Before enabling cron notifications, confirm exactly where messages will be sent, review or restrict allowed URLs/domains, and require explicit confirmation before adding or deleting trackers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The add-flow is internally inconsistent: one section says no write occurs until the user confirms, while a later step describes adding first, then updating or removing after confirmation/cancellation. In a conversational agent, this ambiguity can lead to writes occurring before explicit consent, causing unauthorized tracker creation, state corruption, or accidental persistence of user data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger phrases are broad, generic, and likely to appear in normal conversation, such as 'bigfocus', '我的追踪', or '删除追踪'. This can cause unintended activation of the skill, and because the skill has file, network, search, and cron capabilities, accidental invocation could expose tracking data, perform external lookups, or start state-changing workflows.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The passive activation rule says that if the user merely mentions keywords related to existing tracking items, the skill should surface status automatically. That is overly broad and can activate without a clear request, creating privacy and safety risks by revealing tracked interests or causing unwanted reads in contexts where the user did not intend to invoke the skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This cron template sets up automated periodic scanning and, on changes, instructs the system to send outbound messages via `openclaw message send` to a configured channel/target, while also performing `web_search`. Although this is the stated purpose of the skill, the file does not include any explicit user-facing warning, consent checkpoint, or guardrails around external transmission, which creates a real risk of silent notifications, unintended data sharing, or misuse if installed with the wrong target.

External Transmission

Medium
Category
Data Exfiltration
Content
try:
                # CoinGecko 免费 API
                req = Request(
                    'https://api.coingecko.com/api/v3/simple/price?ids=bitcoin&vs_currencies=usd',
                    headers={'Accept': 'application/json'}
                )
                resp = urlopen(req, timeout=10)
Confidence
79% confidence
Finding
https://api.coingecko.com/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal