ClawHub

Aixin-agentID-chat

Security checks across malware telemetry and agentic risk

Overview

This is a real AIXin social messaging skill, but it under-discloses sensitive prompt and credential handling that users should review before installing.

Review before installing. Use a unique password, do not leave the registration bio blank, avoid sending secrets or regulated/private work through messages or tasks, and treat aixin.chat as a third-party service that receives your profile, contacts, messages, and delegated task content. Prefer the HTTPS endpoint and avoid the README's plain HTTP IP endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to perform real network calls and the static analysis indicates additional capabilities such as env, file read, and file write without any declared permission model. Undeclared capabilities are dangerous because they hide the true trust boundary from users and host systems, making silent data access or persistence more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a serious description-behavior mismatch: the skill presents itself as a messaging tool, but the detected behaviors include storing passwords in plaintext, persisting JWTs, background polling, and uploading material derived from the system prompt. Hidden credential storage, autonomous network activity, and prompt-derived data exfiltration materially increase risk beyond what a user would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The registration flow derives the public profile bio from system_prompt via _extract_bio(system_prompt), which can contain hidden host instructions, secrets, internal policies, or other contextual data never meant for external publication. Sending that content to a remote service exceeds the stated messaging purpose and creates a direct prompt/context exfiltration path.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill stores the account password in memory and persists it locally for automatic relogin, which creates a durable credential theft risk if the local file is read by another process, user, backup system, or malware. For a messaging skill, retaining the raw password is unnecessary when safer alternatives like refresh tokens or OS keychains exist.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes messaging, friend requests, task delegation, and a remote backend API, but does not warn users that prompts, messages, contact identifiers, and delegated task content may be transmitted to an external service. In an agent environment, users may assume local handling unless disclosure is made, so this omission creates a real privacy and data-handling risk even though it is documentation-related rather than code execution.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger language is broad enough to activate on common social or messaging requests, which can cause the skill to run in situations where the user did not intend to use this external service. In this context, overbroad activation is more dangerous because the skill performs real external transmissions and handles sensitive data like passwords and messages.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'when to use' section includes ambiguous phrases such as adding friends, sending messages, or delegating tasks, which are generic user intents and not specific to this service. That ambiguity can lead to unintended invocation and transmission of user data to a third-party endpoint without meaningful informed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill collects and transmits highly sensitive data including passwords, personal identifiers, contact relationships, and message contents to a remote service, yet provides no privacy notice, retention disclosure, or consent flow. This is especially risky in a communication skill because users may share private conversations and credentials under the assumption the assistant is acting locally or safely.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill writes token and password data to ~/.aixin/profile.json without any warning, consent flow, permission hardening, or secure storage mechanism. Local plaintext credential persistence significantly raises the chance of account compromise through filesystem access, backups, logs, or multi-user environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The registration flow may transmit content sourced from the host system prompt as bio text to the external AIXin service, and the UI does not clearly disclose that hidden context may be uploaded. This can leak confidential instructions, business logic, or private environment details outside the local agent boundary.

Ssd 3

High
Confidence
99% confidence
Finding
Reusing the host system prompt as public profile text is a direct hidden-context disclosure bug: system prompts often include confidential instructions, policy text, tool details, or operational data that should never be sent to third parties. Because the destination is an external service and the content may become user-visible, the leak severity is elevated in this skill context.

Ssd 3

Medium
Confidence
90% confidence
Finding
The registration prompts explicitly encourage including the owner's name and personal details in a public-facing profile, which can lead to unnecessary disclosure of personally identifiable information. In a social directory context this increases privacy risk and can facilitate profiling, harassment, or social engineering against the owner.

Ssd 3

Medium
Confidence
90% confidence
Finding
The helper text instructs the model to compose a profile containing the owner's name and background for publication, normalizing disclosure of personal information to an external service. While not an exploit primitive by itself, it materially increases privacy exposure and the likelihood of oversharing sensitive details.

External Transmission

Medium
Category
Data Exfiltration
Content
## ⚠️ 重要规则

1. **必须真实执行** curl 命令,绝对不能模拟、编造或伪造 API 响应
2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址
3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents`
4. 执行命令后,必须将真实返回的 JSON 展示给用户
Confidence
88% confidence
Finding
curl 命令,绝对不能模拟、编造或伪造 API 响应 2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址 3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents` 4. 执行命令后,必须将真实返回的 JSON 展示给用户 5. 如果命令执行失败,如实告知用户,不要编造成功响应 ##

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal