ClawHub

违规词·发帖前合规检查

Security checks across malware telemetry and agentic risk

Overview

The checker’s core wordlist function is legitimate, but it can send draft text to DeepSeek and expose an unauthenticated local API without clear disclosure in the main skill instructions.

Install only after reviewing the privacy tradeoff. To keep drafts local, do not set DEEPSEEK_API_KEY and remove it from generic env files before use. Avoid running api_server.py on shared or public networks unless you add localhost binding and authentication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tainted flow: 'req' from os.environ.get (line 142, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={'Authorization': f'Bearer {key}', 'Content-Type': 'application/json'},
            method='POST',
        )
        with urllib.request.urlopen(req, timeout=30) as r:
            out = json.loads(r.read().decode())
            return out['choices'][0]['message']['content'].strip()
    except Exception:
Confidence
98% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as r:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only benign local checking behavior, but detected capabilities include environment access, file read/write, and network use without any corresponding permission disclosure. In a compliance-checking context, this is dangerous because users may submit sensitive draft content expecting local-only processing, while undeclared network and file capabilities can enable silent exfiltration, persistence, or broader system interaction.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior says the skill performs local comparison against built-in wordlists, but the actual behavior reportedly sends user content and hits to an external DeepSeek service, exposes an HTTP server, and overstates continuous updates. This mismatch undermines informed consent and can cause users to disclose sensitive or unpublished content to third parties or remote interfaces they were never told about.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill description suggests a local compliance checker, but the implementation additionally reads credentials and sends user content to a third-party API for suggestions. That mismatch is security-relevant because users may trust the tool with draft ad copy or sensitive text without realizing it leaves the host.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
This wordlist enforces a large, hard-coded Chinese-language censorship/moderation policy without any visible locale selection, jurisdiction scoping, or user-configurable policy controls. In a compliance-checking skill, that can cause overblocking, viewpoint-based suppression, and inappropriate moderation of users outside the intended region or regulatory context, especially because the list mixes sexual terms, politics, names, websites, and ordinary strings like place names or numbers.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
This is a true policy and safety issue: the wordlist explicitly includes ethnically derogatory slurs targeting protected groups, which can normalize or operationalize hateful language handling in a way that may enable discriminatory moderation, logging, or downstream misuse. In this skill’s context, a compliance/sensitive-word checker is intended to screen content, which makes the presence of such slurs somewhat expected, but it is still dangerous because the list is broad, uncurated, and includes hateful terms without clear safeguards, provenance, or category boundaries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Potentially sensitive user text is transmitted to a third-party model API without any user-facing warning, consent, masking, or disclosure. In the context of a compliance-check skill, submitted content may include unpublished marketing copy, regulated claims, or other confidential material, making silent transmission especially risky.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script silently searches for credentials in environment variables and local .env-like files, which expands its access to secrets beyond explicit user input. While it only targets a named API key, undisclosed credential harvesting behavior is risky and violates least surprise for a tool that appears to be a local text checker.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal