ClawHub

Lee-CLI Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real personal-assistant CLI wrapper, but it needs Review because it can read sensitive work context, use external APIs, and includes unsafe API-key troubleshooting instructions.

Install only if you trust the separate lee-cli binary and are comfortable with it reading Claude Code activity records and possibly calendar/work context. Before use, avoid broad automatic invocation, do not let the agent print API keys, and treat weather/news/Anthropic API calls as external data sharing unless the runtime documentation proves otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The submission claims both that the skill needs network access for weather/news APIs and that no data is sent to third-party servers. Those statements cannot both be fully true in normal operation, so the documentation misrepresents data flow and trust boundaries. Misleading security claims can cause users and reviewers to underestimate privacy exposure when prompts, queries, or metadata are transmitted to external API providers.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example triggers are very broad everyday phrases such as asking for a joke, news, or a work summary. In a skill-routing environment, this can cause unintentional invocation of the skill during normal conversation, leading to unexpected command execution, data access, or network activity without clear user intent. The personal-assistant context increases risk because the documented capabilities include log reading and external API access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document states that the skill may read Claude Code activity logs and use network connections for weather/news APIs, but it does not warn users what data may leave the local environment, when transmission occurs, or what retention/privacy boundaries apply. This creates a real privacy and transparency risk: users may expose sensitive work context or behavioral data to external services without informed consent. In a productivity assistant skill, activity logs can contain especially sensitive content, making the omission more dangerous.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The natural-language activation examples are extremely broad everyday phrases such as asking for a joke, news, summary, learning resources, or todo items. In an agent ecosystem, overly generic triggers can cause unintended invocation of this skill when a user did not specifically intend to run it, increasing the chance of unnecessary log access or network calls. The risk is amplified because the skill includes features like work-summary generation that may read activity logs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The use-case section maps ambiguous conversational requests directly to command execution without documenting guardrails, disambiguation, or user confirmation. This creates a realistic risk of accidental tool execution in response to common requests, especially for commands that aggregate news, access APIs, or analyze Claude Code activity. In skill marketplaces, ambiguous invocation behavior is a security and safety issue because it weakens user intent verification.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README suggests very broad natural-language triggers like “讲个笑话” and “明天我要做什么?”, which can overlap with ordinary user conversation and cause the skill to activate unexpectedly. In a skill that can summarize activity records and generate task lists, accidental invocation may expose or process context the user did not intend to send to this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises automatic analysis of Claude Code activity records to generate work summaries, but provides no privacy notice, consent flow, retention policy, or explanation of what data is accessed. Because activity records may contain sensitive prompts, file names, project details, or secrets, undocumented analysis increases the risk of unintended disclosure or over-collection.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough that ordinary conversation like asking for a joke or asking about weather could activate the skill without clear user intent to invoke this specific tool. In an agent setting, overly loose activation can cause unnecessary command execution, network access, or data processing beyond what the user expected.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Phrases such as '总结一下今天的工作', '今天要做什么', '帮我整理一下', and '个人助手' are highly ambiguous and can overlap with normal assistant behavior. Because some documented commands analyze activity logs and calendar/task data, accidental activation could expose or process privacy-sensitive information without a clear, informed request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it will analyze Claude Code activity records and use calendar/task information, but it does not clearly warn that these sources may contain sensitive work history, filenames, schedules, or other personal data. In context, this increases the risk of silent collection or summarization of private information under a seemingly routine productivity request.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script creates a temporary publish directory, copies the skill tree, and then removes subdirectories without any confirmation, dry-run mode, or validation of the computed paths. Although the paths are mostly fixed and scoped under /tmp, silent filesystem modification can still cause accidental data loss or confusing operator outcomes if environment assumptions are wrong.

Ssd 3

Medium
Confidence
98% confidence
Finding
The troubleshooting guidance tells the agent to run commands like 'echo $ANTHROPIC_API_KEY', which would print a secret directly into terminal output and potentially into chat transcripts, logs, or other downstream systems. This is a classic credential-exposure pattern and is especially dangerous because it is framed as normal troubleshooting.

Ssd 3

Medium
Confidence
97% confidence
Finding
The command 'env | grep ANTHROPIC' may reveal API keys or related secrets in full, and an agent following this instruction could leak them into its response or logs. Because this appears in a help/troubleshooting section, it is likely to be executed during failure handling when users are less likely to notice the disclosure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal