ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Alibaba Cloud deployment helper, but it asks users to create broad, long-lived cloud credentials and paste them into chat.

Review before installing. Use only a dedicated least-privilege RAM user scoped to the exact bucket and domain, avoid pasting secrets into chat, supervise any browser automation or paid domain steps, and rotate or delete the AccessKey after deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s stated purpose is static-site deployment, but it also walks the user through creating a RAM user and granting broad OSS, DNS, and CDN permissions. That expands the privilege scope far beyond minimal deployment needs and creates a real risk of overprivileged cloud access if the stored credentials are exposed or misused.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Embedding identity and access management administration into a deployment helper is not clearly justified and materially increases the blast radius of the skill. A user invoking a deploy-oriented workflow may unintentionally authorize powerful account changes, including creation of long-lived credentials and wide cloud permissions.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The security note claims the AccessKey 'will not be transmitted to any external server,' but the validation and deployment steps necessarily send those credentials to Alibaba Cloud APIs. This is a misleading security assurance that can cause users to make trust decisions based on false information.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The guide expands a static-site OSS deployment skill into domain purchase and实名/identity-verification steps that are not necessary for many OSS deployment scenarios. This broadens the operational scope, nudges users into unrelated financial and identity workflows, and increases the blast radius if the skill is abused or misleading.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The documentation instructs users to grant AliyunOSSFullAccess, AliyunDNSFullAccess, and AliyunCDNFullAccess, which exceeds the stated OSS deployment scope. Over-privileged credentials materially increase the consequences of credential theft or tool misuse, enabling DNS changes, CDN control, and wider account impact beyond simple object storage uploads.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The guide tells users to create a permanent AccessKey and later paste it into the tool, creating long-lived reusable cloud credentials. Permanent secrets are significantly riskier than temporary credentials because compromise enables persistent unauthorized access until manually rotated or revoked.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include broad everyday terms such as '部署', '发布', '上线', and '更新凭证', which can cause the skill to activate in contexts the user did not intend. Because the skill handles cloud credentials and deployment actions, accidental invocation materially increases the chance of unwanted sensitive prompts or operations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs users to paste AccessKey ID and Secret directly into the conversation without a strong warning about the risks of sharing secrets in chat. This creates a clear secret-handling vulnerability because conversation channels may be logged, retained, inspected, or exposed beyond the user’s expectation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill writes credentials to a local file and later updates that file, but does not clearly warn users about overwrite, persistence, rotation, or local compromise risks. While local storage itself is not inherently unsafe, silently normalizing credential file writes can lead to accidental replacement or insecure long-term retention of sensitive keys.

Ssd 3

High
Confidence
99% confidence
Finding
This is a direct conversational secret-harvesting pattern: the skill asks the user to paste cloud credentials into chat and then extract/store them from message text. Even if intended for convenience, this is dangerous because chat content is frequently logged, persisted, and accessible to systems beyond the local machine.

Ssd 3

High
Confidence
99% confidence
Finding
The manual setup flow repeats the same unsafe pattern by collecting AccessKey ID and Secret through the conversation channel. In the context of a cloud deployment skill, this is especially dangerous because the gathered credentials can grant durable access to the user’s Alibaba Cloud resources.

Session Persistence

Medium
Category
Rogue Agent
Content
<p class="step-text">.top 域名首年约 ¥6,非常便宜。购买后需完成实名认证才能正常使用。</p>
    </div>

    <!-- Step 4: Create RAM User + Get AccessKey -->
    <div class="step-content" data-step="3">
      <h2 class="step-title">创建 RAM 用户并获取 AccessKey</h2>
Confidence
92% confidence
Finding
Create RAM User + Get AccessKey --> <div class="step-content" data-step="3"> <h2 class="step-title">创建 RAM 用户并获取 AccessKey</h2> <div class="step-screenshot-row"> <ol class="su

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal