ClawHub

MBTI Coach — Personality Development System

Security checks across malware telemetry and agentic risk

Overview

The skill’s MBTI coaching purpose is coherent, but its optional Feishu/Lark calendar helper exposes credentials, can mutate an external calendar, and is under-disclosed.

Review or patch scripts/feishu_calendar.sh before enabling calendar sync. Do not run the token debug command, use least-privilege Feishu/Lark credentials, confirm each calendar write, keep data/profile.json private, and treat the README privacy claim as incomplete because calendar events can leave the local machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README states that 'Nothing is shared externally' while elsewhere documenting Feishu/Lark calendar integration, which inherently involves sending data to an external service when enabled. This is a misleading privacy claim that can cause users to consent to the skill under false assumptions and underestimate the exposure of personal scheduling or profile-derived data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documented `token` debug command explicitly prints a live Feishu tenant access token to stdout. Tokens are bearer credentials, so exposing them in terminal history, logs, or calling-process output can allow unauthorized API access until the token expires.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger keywords include broad phrases such as 'MBTI', '安排日程', and '查看进度', which can cause the skill to activate in contexts the user did not intend. In an agent environment, overly broad activation increases the chance of unprompted access to personal profile data or initiation of actions like schedule management without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The feature description advertises personalized scheduling and Feishu/Lark integration without warning that the skill may affect data in an external account. Users may not realize that using this feature could create, modify, or synchronize calendar entries with a third-party service, which is especially sensitive in a coaching skill handling personal development information.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases include very broad, common language such as "I want to become," "check my progress," and "as an X type," which could cause the skill to activate in unrelated conversations. Unintended invocation is risky here because the skill immediately begins collecting and storing sensitive personality and behavioral data, increasing privacy and consent concerns.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs reading and writing `data/profile.json` containing sensitive psychological profile data, historical self-assessments, stress signals, and behavior tracking, but provides no user-facing notice, consent flow, retention policy, or access controls. This creates a real privacy vulnerability because sensitive personal data may be stored without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The calendar integration sends user scheduling data to Feishu/Lark using external credentials, but the skill does not clearly warn users that their exercise titles, dates, and potentially sensitive self-improvement context will be shared with a third-party service. This is dangerous because it can disclose personal behavioral goals and inferred personality-development activities outside the local environment without informed consent.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
`cmd_token()` returns the raw access token with no confirmation, warning, or redaction. In an agent or automation context, stdout is often captured, persisted, or surfaced to other components, making accidental credential disclosure likely.

Credential Access

High
Category
Privilege Escalation
Content
# 3. skill 目录下的 .env
  local skill_dir
  skill_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
  local env_file="$skill_dir/.env"
  if [[ -f "$env_file" ]]; then
    # shellcheck disable=SC1090
    source "$env_file"
Confidence
88% confidence
Finding
.env"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal