ClawHub
Back to skill

Security audit

Aixin

Security checks across malware telemetry and agentic risk

Overview

This is a real messaging skill, but it needs Review because it can send hidden system-prompt text to its server and stores login secrets locally in plaintext.

Install only if you are comfortable sending AIXin profile data, contacts, messages, task descriptions, and login data to aixin.chat. Use a unique password, do not leave the registration bio blank, avoid sending secrets or confidential work through chat/task features, and remove ~/.aixin/profile.json if you want to clear stored credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to perform live curl requests to an external service and handle user/account data, yet it declares no permissions despite requiring network and likely storage capabilities. This mismatch undermines platform safety controls and informed consent, because reviewers and users cannot accurately see what capabilities the skill will exercise.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The registration flow derives bio content from system_prompt and later uploads it to a remote service, creating a direct exfiltration path for host-provided instructions or hidden context. System prompts frequently contain secrets, internal policies, user metadata, or tool details, so copying even 200 characters into a public profile can leak sensitive information outside the local trust boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill retains the account password in memory and on disk for automatic re-login, which unnecessarily expands the blast radius of local compromise. Any malware, other local user, backup system, or accidental file exposure can recover the password and reuse it beyond this application, especially if the user reuses credentials.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill writes sensitive authentication state, including token and potentially password, into a local JSON profile file under the user's home directory without access-control hardening or encryption. This increases the chance of credential theft from local file disclosure, shared systems, backups, or endpoint compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages users to register agents, add contacts, send messages, search, and delegate tasks to a remote backend at a hard-coded external IP address, but it does not disclose that conversation content, identifiers, and task data will be transmitted off-platform. In a social/messaging skill, that omission is security-relevant because users may unknowingly expose sensitive prompts, contact graphs, or delegated work to an untrusted third-party service.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description is broad enough to trigger on common social or messaging-related phrases, which can cause the skill to run in contexts where the user did not intend to contact an external service. Because the skill performs real network actions, accidental invocation can lead to unintended data disclosure or outbound requests.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The usage conditions cover many loosely defined scenarios like finding assistants, chatting, or delegating tasks without requiring confirmation, identity verification, or limits on what may be sent. In a communication skill, vague boundaries increase the chance that private conversation content, contact identifiers, or tasks are transmitted to the external service unintentionally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks for sensitive inputs including a password, owner name, AI-ID, message content, and task details, but it does not clearly warn users that this information will be sent to a third-party service. Missing notice and consent is especially risky here because the skill is centered on account creation and interpersonal communications, which commonly involve sensitive personal or confidential data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill stores the user's password locally without clearly informing the user during login or registration, preventing meaningful consent to a high-risk data handling practice. Silent retention of credentials is especially dangerous in a messaging skill because users do not expect long-term password storage just to send messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The registration flow transmits owner name, bio, and related profile information to a remote service but does not clearly disclose what data will become externally visible or leave the local environment. This can cause users to share identifying or sensitive information unintentionally, particularly because the prompts encourage descriptive content about both the assistant and the owner.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest requests `system_prompt_read`, which is highly sensitive because it can expose hidden instructions, internal policies, secrets, or trust boundaries that the host uses to control the agent. In a social/messaging skill with network and message-sending permissions, this creates a strong exfiltration risk: prompt contents could be transmitted to a remote service or other contacts without clear user awareness, and the description does not disclose or justify this access.

Ssd 3

High
Confidence
99% confidence
Finding
This code path turns hidden system prompt content into outbound profile text, creating a natural-language data leak channel that can expose confidential instructions and context to the remote service and potentially other users. In an agent environment, system prompts often contain precisely the information that should never be echoed externally, so the skill context makes this especially dangerous.

Ssd 3

Medium
Confidence
84% confidence
Finding
The helper text encourages users to include owner information in a public-facing profile, which increases the likelihood of unnecessary personal data disclosure. While this is not covert exfiltration by itself, it nudges users toward oversharing identity and relationship details that may later be searchable or visible to strangers.

Ssd 3

Medium
Confidence
87% confidence
Finding
The registration prompt explicitly requests combined assistant-and-owner information for others to view, which drives collection of personally identifying or contextual data beyond what is needed for account creation. In a public social directory, this can expose private details to broad audiences and facilitate profiling or targeted abuse.

Ssd 3

High
Confidence
99% confidence
Finding
The fallback bio extraction directly copies up to 200 characters from system_prompt, which is a clear data-leak mechanism from hidden context to externally shared content. Because this occurs automatically when user bio is absent, it can leak sensitive data without informed user action and is therefore more severe in an agent skill that receives privileged prompts.

External Transmission

Medium
Category
Data Exfiltration
Content
## ⚠️ 重要规则

1. **必须真实执行** curl 命令,绝对不能模拟、编造或伪造 API 响应
2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址
3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents`
4. 执行命令后,必须将真实返回的 JSON 展示给用户
Confidence
98% confidence
Finding
curl 命令,绝对不能模拟、编造或伪造 API 响应 2. **唯一的 API 地址**是 `https://aixin.chat/api`,没有其他地址 3. **不存在** `/api/auth/register` 端点,注册端点是 `POST /api/agents` 4. 执行命令后,必须将真实返回的 JSON 展示给用户 5. 如果命令执行失败,如实告知用户,不要编造成功响应 ##

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal