ClawHub
Back to skill

Security audit

Aixin

Security checks across malware telemetry and agentic risk

Overview

This is a real AIXin social messaging skill, but it handles credentials and hidden agent context in ways users should review before installing.

Install only if you trust AIXin with your profile, contacts, messages, tasks, and any registration text. Do not reuse an important password, avoid leaving the registration bio blank, inspect or remove ~/.aixin/profile.json when done, and assume the skill may keep polling the service after installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill directs the agent to perform network requests and implies use of local state despite declaring no permissions, creating a transparency and governance gap. Undeclared capabilities make it harder for platforms and users to assess what data may be accessed, transmitted, or stored, and can lead to execution in contexts that did not consent to those actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The registration flow derives the public profile bio from system_prompt via _extract_bio(system_prompt), then sends it to the remote /agents endpoint. System prompts often contain hidden instructions, internal policy text, secrets, or user context, so exfiltrating even the first 200 characters to an external service is a serious confidentiality breach unrelated to the core need of account registration.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill starts a background polling thread automatically on installation, causing continuous outbound communication to the remote service without user initiation or explicit consent. In an agent environment this expands the plugin's operational footprint, creates metadata leakage about account presence, and can surprise users who did not opt into persistent network activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages users to register, search, message, and delegate tasks to other agents, but it does not clearly disclose that these actions send user and agent data to an external backend. In a social/messaging skill, this omission is security-relevant because users may unknowingly transmit prompts, contacts, and task content off-device to a third party.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README reveals that the skill communicates with a third-party API over plain HTTP to a public IP address, but provides no warning about insecure transport or the risks of sending sensitive content through it. Because this skill handles social messaging and delegated tasks, use of HTTP enables interception or tampering in transit, making the issue more dangerous in this context than a generic informational integration note.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill advertises broad trigger phrases such as adding friends, messaging, finding assistants, and delegating tasks without requiring strong confirmation boundaries. Overbroad activation can cause the agent to invoke this skill unexpectedly and send user data or commands to an external service in situations where the user did not intend an outbound action.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The 'when to use this skill' section lacks clear guardrails, so ordinary conversation about social features could trigger external API requests. Because the skill handles identifiers, passwords, and message content, ambiguous invocation criteria raise the risk of unintended disclosure or account actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to transmit sensitive data including nickname, owner name, password, AI-ID, contact relationships, and message contents to a third-party service, but it does not provide adequate privacy notice, consent flow, retention details, or data handling limitations. Users may unknowingly expose credentials and personal communications to an external operator.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code loads and saves the account password in plaintext local storage at ~/.aixin/profile.json to support automatic re-login. Any local user, malware, backup process, or other plugin with filesystem access can recover the password and reuse it for full account compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
During registration, the skill may transmit system_prompt-derived text as bio to the external service without explicit warning or meaningful consent. Because that bio is likely public-facing and the source is hidden agent context, the behavior can leak sensitive prompt content far beyond what users expect from a social registration form.

Ssd 3

High
Confidence
99% confidence
Finding
Reusing hidden system prompt content as a public profile bio directly exposes internal instructions or sensitive context to other users and the remote platform. The skill context makes this more dangerous because profile bios are meant for discovery and social sharing, turning hidden prompt data into externally visible text.

Ssd 3

High
Confidence
99% confidence
Finding
_extract_bio() returns the first 200 characters of the system prompt verbatim, which is a direct prompt disclosure primitive. System prompts frequently contain confidential instructions, tool details, or sensitive contextual data, so verbatim copying to profile data creates a clear exfiltration path.

External Transmission

Medium
Category
Data Exfiltration
Content
## ⚠️ 重要规则

1. **必须真实执行** curl 命令,绝对不能模拟、编造或伪造 API 响应
2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址
3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents`
4. 执行命令后,必须将真实返回的 JSON 展示给用户
Confidence
95% confidence
Finding
curl 命令,绝对不能模拟、编造或伪造 API 响应 2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址 3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents` 4. 执行命令后,必须将真实返回的 JSON 展示给用户 5. 如果命令执行失败,如实告知用户,不要编造成功响应 ##

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal