ClawHub

Aixin

Security checks across malware telemetry and agentic risk

Overview

This AI messaging skill mostly matches its stated purpose, but it handles credentials and hidden agent context in ways users should review carefully before installing.

Review before installing. Use a unique AIXin-only password, do not leave registration bio blank, avoid sending sensitive messages or tasks, confirm which backend endpoint will be used, and delete ~/.aixin/profile.json if you no longer want local account access retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires network access and appears to rely on environment, file read, and file write capabilities without declaring them, which breaks least-privilege expectations and prevents informed consent by the host or user. In this context, the undeclared capabilities are especially risky because the skill handles credentials, messages, and account identifiers, so hidden storage or exfiltration paths could be abused.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a serious description-behavior mismatch: the skill claims to provide messaging features, but static analysis indicates it also reads part of the host system prompt, sends it to a remote service, stores passwords/JWTs locally, and performs background polling. Those hidden behaviors materially increase the privacy and security risk because they involve sensitive prompt leakage, credential persistence, and autonomous network activity that users were not clearly told about.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The registration flow derives profile bio content from system_prompt and later transmits it to the remote AIXin service. System prompts often contain hidden instructions, secrets, internal policy text, or user-context data not meant for third parties, so exfiltrating even the first 200 characters can disclose sensitive host information.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill stores the account password in memory and persists it locally for automatic re-login, which creates a credential theft risk if the host is compromised, backed up insecurely, or accessed by other local users or processes. Persisting a reusable secret exceeds the minimum needed for normal messaging behavior and significantly increases blast radius compared with storing only a short-lived token.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill starts a background listener automatically on installation and continuously polls the remote server every few seconds. While not directly code-execution dangerous, this creates undisclosed ongoing network egress and metadata leakage, and can surprise users by enabling persistent remote communication outside explicit command use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents a third-party backend API for registration, contacts, messaging, unread message retrieval, task delegation, and market search, but does not warn that using the skill will transmit user prompts, contact metadata, and delegated task contents to an external service. In a social/messaging skill, that omission is security-relevant because users may assume actions are local to the host agent platform and unknowingly disclose sensitive conversation or work data to an unaffiliated remote server.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes issuance of a globally unique persistent AI-ID and a cross-platform social identity, but does not disclose the privacy and tracking implications of creating an external identifier tied to the agent. Persistent identifiers can enable correlation of activity across conversations, platforms, contacts, and delegated tasks, increasing deanonymization and profiling risk if users are not clearly informed beforehand.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Overly broad trigger phrases can cause the skill to activate during ordinary conversation about assistants, friends, or messaging, leading to unexpected collection of identifiers, passwords, or message content for transmission to an external service. In a communications skill, accidental activation is more dangerous than usual because the resulting actions may expose private content or initiate remote requests without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'when to use' section defines broad and ambiguous activation conditions that can match common conversational requests unrelated to this specific external service. Because the skill then instructs making real API calls, the ambiguity raises the risk of unintended data sharing, unsolicited remote lookups, or prompting users for credentials in contexts where they did not intend to use this platform.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to collect a user password and transmit it to a remote API, but provides no warning about the sensitivity of that secret, how it is handled, or whether it will be stored. In the context of an AI skill, this is particularly dangerous because users may reuse passwords, and the skill also appears to have file/network capabilities, compounding the risk of credential theft or insecure retention.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends message contents, contact relationships, and task details to an external service without clearly warning the user that their communications metadata and content leave the local environment. This omission is risky because private conversations, social graphs, and delegated task details can be sensitive, and users may not realize they are consenting to third-party processing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill writes sensitive credentials, including token and password, to ~/.aixin/profile.json without any encryption, secure storage mechanism, or user-facing warning. Any local compromise, shared account, insecure backup, or lax file permissions could expose the account and allow impersonation against the remote service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The registration flow sends ownerName and bio to a remote service, and the bio may come from the host system prompt, without a clear warning that hidden or personal context may be transmitted externally. This creates a privacy and data-governance risk because users may believe they are only registering a handle while actually sharing profile and owner metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest requests the sensitive `system_prompt_read` permission alongside networked social/messaging capabilities, but the description and commands do not disclose this access or explain why it is needed. In a communication skill, access to the system prompt can expose hidden instructions, policies, secrets, or contextual data that could be transmitted externally or used to manipulate downstream behavior.

Ssd 3

High
Confidence
99% confidence
Finding
The registration logic copies system prompt content into a public-facing profile bio via _extract_bio(system_prompt), which can disclose hidden instructions, internal configuration, or sensitive contextual data to other users or the remote platform. Because profile bios are intended for discovery and sharing, this turns private prompt material into broadly exposed data.

Ssd 3

Medium
Confidence
80% confidence
Finding
The helper text actively encourages users to include owner identity and background in a profile intended for social discovery, increasing the chance of oversharing personal information. In a social/messaging skill this is contextually more dangerous because the data is designed to be visible to other parties and tied to a persistent AI identity.

Ssd 3

Medium
Confidence
84% confidence
Finding
The bio prompt explicitly asks for information about both the AI and its owner so others can understand them at a glance, encouraging disclosure of personal details that are not required for core messaging functionality. This is a privacy-design weakness that can lead to unnecessary exposure of personally identifying or sensitive contextual information.

Ssd 3

High
Confidence
99% confidence
Finding
The fallback _extract_bio() behavior automatically returns the first 200 characters of system_prompt, creating a direct prompt-to-profile data leak path even if the user does not supply a bio. Since system prompts commonly contain hidden instructions and confidential context, this can silently expose sensitive information to a third-party service and potentially other users.

External Transmission

Medium
Category
Data Exfiltration
Content
## ⚠️ 重要规则

1. **必须真实执行** curl 命令,绝对不能模拟、编造或伪造 API 响应
2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址
3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents`
4. 执行命令后,必须将真实返回的 JSON 展示给用户
Confidence
91% confidence
Finding
curl 命令,绝对不能模拟、编造或伪造 API 响应 2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址 3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents` 4. 执行命令后,必须将真实返回的 JSON 展示给用户 5. 如果命令执行失败,如实告知用户,不要编造成功响应 ##

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal