ClawHub

Chinese Ebook Downloader

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it claims, but it automates downloads from untrusted ebook/file-hosting sites, extracts remote archives, and can overwrite local files without strong user control.

Review before installing. Use only in a sandbox or dedicated empty output folder, assume book queries and download behavior are exposed to third-party sites, avoid opening downloaded files until scanned, and check copyright/source trust. VirusTotal was pending, so this verdict relies on artifact behavior rather than malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try direct curl first
            cmd = ["curl", "-L", "-o", out_path, "--max-time", "300", url]
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=310)
            if os.path.exists(out_path) and os.path.getsize(out_path) > 5000:
                return out_path
Confidence
88% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=310)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
dl_url = await get_download_url(r['file_host_url'], pwd, headless=True)
            if dl_url:
                cmd = ["curl", "-L", "-o", out_path, "--max-time", "600", dl_url]
                subprocess.run(cmd, capture_output=True, text=True, timeout=610)
                if os.path.exists(out_path) and os.path.getsize(out_path) > 5000:
                    return out_path
Confidence
90% confidence
Finding
subprocess.run(cmd, capture_output=True, text=True, timeout=610)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
extract_dir = f"/tmp/ebook_extract_{int(time.time())}"
                                os.makedirs(extract_dir, exist_ok=True)
                                try:
                                    subprocess.run(["unzip", "-o", "-d", extract_dir, f], capture_output=True, timeout=60)
                                    pdfs = glob.glob(os.path.join(extract_dir, "**/*.pdf"), recursive=True)
                                    for pdf in pdfs:
                                        if os.path.getsize(pdf) > 5000:
Confidence
86% confidence
Finding
subprocess.run(["unzip", "-o", "-d", extract_dir, f], capture_output=True, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs use of network access, shell commands, and local file writes/extraction, but it declares no permissions or safety boundaries. That mismatch is dangerous because an agent or user may invoke a capability-heavy workflow without explicit consent, review, or sandboxing, increasing the risk of arbitrary downloads, filesystem modification, and execution-adjacent abuse through fetched content.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code intentionally modifies browser fingerprints to evade bot detection by setting navigator.webdriver to undefined and spoofing chrome runtime. In the context of an ebook-downloader targeting shadow-library mirrors, this increases risk because it is designed to bypass access controls and makes automated retrieval from untrusted sites harder to audit and govern.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README says the skill auto-triggers on very common ebook-request phrases, but does not describe consent gates, confirmation prompts, or boundaries on what sources may be contacted. In a skill that performs browser automation, downloads files, and extracts archives, broad trigger conditions can cause unintended network activity and retrieval of potentially risky content from third-party sites.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes fully automated search, decryption, download, and ZIP extraction without warning users that the skill will perform network actions and process untrusted archives. That is dangerous because users may invoke it without understanding that it can fetch attacker-controlled files and unpack them locally, increasing the risk of harmful file writes or unsafe content handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting section discusses browser automation, API extraction, and curl-based downloads to external file hosts, but provides no privacy or network disclosure. In context, this makes the skill more dangerous because users may not realize their queries, IP address, browser fingerprint, and download behavior are being exposed to multiple third-party services.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill tells the agent to download ebooks, save outputs, convert formats, and extract ZIP contents, but it does not warn that local files will be created or modified. This is risky because users may not realize the skill will write data to disk, potentially overwrite files, consume storage, or unpack malicious archives from untrusted sources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script deletes any existing destination file with the same basename before moving the newly downloaded file into place, with no confirmation, backup, or integrity check. If a download yields an unexpected filename or a stale/corrupt file, legitimate local files in the output directory can be silently lost.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script reads an environment-sourced default password and then searches for that value in arbitrary page text from external sites. While it does not directly exfiltrate the secret, loading a potentially sensitive environment value into logic that processes untrusted remote content is risky and unnecessary, especially in an agent setting where environment variables may contain reused secrets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically downloads remote files to a constructed output path without an explicit confirmation gate at the moment of download. In this context, the sources are untrusted mirror and partner sites, so silent download increases the chance of saving unexpected, malicious, or policy-violating content to disk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal