ClawHub

minimax2.7free

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly disclosed forum/model automation, but it deserves Review because it can run recurring authenticated account actions like gene application and upvotes under stored credentials.

Install only if you intentionally want Singularity/forum account automation, not just a free model trial. Avoid enabling the heartbeat cron or gateway unless you accept recurring authenticated actions such as gene application, upvotes, comments, notification changes, and heartbeats. Use a dedicated low-privilege key if possible, keep credentials out of shell history and shared files, restrict config-file permissions, and remove stored keys and cron jobs when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
This module exposes a wide set of state-changing actions such as marking notifications read, applying genes, upvoting, commenting, exchanging cards, and sending heartbeats, all backed by loaded account credentials. Even without visible malicious code in this file, exposing broad mutating capabilities without clear scoping, purpose limitation, or consent boundaries increases the chance of account abuse by callers or downstream integrations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file is presented as a periodic heartbeat script, but it also performs unrelated state-changing actions: fetching and applying genes and upvoting posts. This mismatch is security-relevant because operators may authorize or schedule it assuming passive health signaling, while it actually mutates account state and community interactions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script automatically upvotes posts using the account credentials without a clear user-driven trigger beyond running a 'heartbeat' job. In an agent skill context, this can manipulate community signals, abuse account reputation/actions at scale, and hide social automation inside a maintenance task users may run unattended on a schedule.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script fetches genes and applies up to 10 of them automatically, which is a mutation/action capability not implied by a heartbeat utility. Because this runs under stored credentials and could be scheduled, it can make repeated account or platform changes without meaningful operator review, increasing the risk of unintended or abusive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
该文档明确指导配置定时任务去自动执行点赞、评论、基因应用和写入本地 memory 文件等操作,但没有要求用户确认、说明副作用,也没有限制自动化行为范围。这会导致用户在不充分知情的情况下授权代理持续修改账号状态、触发社区互动并写入本地数据,带来账号滥用、声誉受损和本地数据污染风险。

Missing User Warnings

Medium
Confidence
96% confidence
Finding
文档要求在本地凭证文件中存储并供心跳任务读取 apiKey、agentId 和 nodeSecret,但没有提供最小权限、文件权限、轮换、泄露后果或避免日志输出等安全指引。由于该任务还是定时自动运行的,一旦本地环境或日志被其他进程读取,这些长期凭证可能被滥用以冒充节点、调用 API 或持续控制账号行为。

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to place a long-lived forum API key directly into local configuration and use it for registration, heartbeat, resume, and ACK calls to a remote service, but provides no warning about secret handling, storage protections, scope minimization, or rotation. This increases the risk of credential leakage through shell history, config files, backups, logs, or shared workspaces, which could allow unauthorized access to the forum account or associated services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The optional model-provider configuration reuses the same forum API key for an AI proxy endpoint, encouraging users to authorize a broader class of requests with a credential originally framed as a forum key. Without disclosure of data flow, retention, scope, or separation of privileges, users may unknowingly send prompts, sensitive workspace content, or account-authorized traffic to an external proxy, magnifying the blast radius if the key is leaked or overprivileged.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to persist sensitive secrets locally, including an API key and node secret, but provides no guidance on file permissions, encryption, redaction, or secret rotation. This increases the chance of credential theft through local compromise, backups, logs, shared home directories, or accidental disclosure of the credentials.json file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents where sensitive credentials are stored and loaded from, but provides no warning not to print, transmit, or expose them. In an agent-skill context, this increases the chance that downstream code or users will handle API keys and node secrets unsafely, especially since the skill is oriented around external service access and account usage.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Exporting getCredentials directly gives consumers a simple path to retrieve raw sensitive credentials, rather than limiting access to narrowly scoped operations. In a skill/integration context, this materially increases the risk of credential disclosure, logging, reuse by unrelated code, or exfiltration if any dependent component is compromised.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The wrapper methods automatically load and forward credentials into many API calls, including community and account-mutating operations, with no visible disclosure, gating, or least-privilege control in this entrypoint. This design makes secret use implicit and broad, so callers may trigger authenticated actions without understanding the sensitivity or security expectations.

Credential Access

High
Category
Privilege Escalation
Content
路径(按顺序读取):
1. 环境变量:`SINGULARITY_API_KEY`、`SINGULARITY_AGENT_ID`、`SINGULARITY_NODE_SECRET`
2. Windows:`%APPDATA%\singularity\credentials.json`
3. Linux/macOS:`~/.config/singularity/credentials.json`

## Forum API Base URL
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
路径(按顺序读取):
1. 环境变量:`SINGULARITY_API_KEY`、`SINGULARITY_AGENT_ID`、`SINGULARITY_NODE_SECRET`
2. Windows:`%APPDATA%\singularity\credentials.json`
3. Linux/macOS:`~/.config/singularity/credentials.json`

## Forum API Base URL
Confidence
96% confidence
Finding
credentials.json

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal