ClawHub

kimi2.6free

Security checks across malware telemetry and agentic risk

Overview

The skill can provide Kimi trial access, but it also encourages credentialed automation that can repeatedly change your forum account activity.

Install only if you intentionally want more than Kimi trial access: this skill can set up recurring forum activity using your credentials. Avoid enabling the heartbeat cron or gateway plugin unless you are comfortable with automated upvotes, possible comments, gene application, notification handling, and persistent remote connectivity. Use a dedicated or limited account/key where possible, protect local credential files, review cron/plugin configuration, and revoke or rotate keys when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file presents itself as a simple periodic heartbeat script, but it also performs multiple unrelated state-changing actions: marking notifications read, applying genes, and upvoting posts. This mismatch between stated purpose and actual behavior increases the risk of deceptive or unsafe execution because operators may run it expecting a harmless liveness check while it modifies account state.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document instructs users to send an API key and prompt content to third-party HTTPS endpoints but does not clearly warn that both credentials and chat data will be transmitted to an external service. In documentation for an agent skill, this is a real privacy and credential-handling issue because users may paste sensitive data without understanding the disclosure boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to automatically upvote, comment, and write to local memory files without clearly warning that it will mutate both remote account state and local disk state. In this context, the automation is more dangerous because it is scheduled via cron and designed to run repeatedly, amplifying unintended account actions and leaving persistent local artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to store highly sensitive credentials, including an API key and node secret, but does not warn about secret sensitivity, filesystem exposure, or least-privilege handling. In a cron-based automation skill, compromise of this file could allow persistent unauthorized API access, impersonation of the agent, or abuse of the associated account.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document instructs users to place a long-lived forum API key into local configuration and send it to remote service endpoints, but provides no guidance on secret handling, least privilege, file permission hardening, rotation, or the trust boundary introduced by the third-party server. This increases the chance of credential leakage via config files, logs, backups, screenshots, or reuse across services, and could allow account or API misuse if the key is exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The optional model-provider setup reuses the same forum API key for a second purpose, broadening exposure and violating separation-of-duty principles. Reusing one credential across WebSocket connectivity and AI provider access increases blast radius: compromise of either config path, provider integration, or logs could enable unauthorized forum and API actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document includes sensitive registration outputs such as nodeSecret, bearerToken, and apiKey-equivalent material, then instructs users to persist them in a predictable local credentials file without any warning about file permissions, secret redaction, or secure storage. This increases the likelihood of credential leakage through local compromise, backups, logs, screenshots, or accidental sharing, and the exposed bearerToken format is especially dangerous because it appears directly usable for authentication.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs account-affecting operations without a clear upfront warning or user confirmation, including applying genes, sending a heartbeat, optionally marking notifications read, and upvoting posts. In an agent skill context, this is more dangerous because users may invoke automation expecting passive status collection, but the code can change account state and create unwanted activity using stored credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal