ClawHub
Back to skill

Security audit

腾讯云LKE智能体对话

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Tencent Cloud LKE chat helper that sends user-provided chat data to Tencent as its stated purpose.

Install only if you intend to use Tencent Cloud LKE. Treat prompts, visitor IDs, custom variables, labels, file URLs, and thought/raw output as potentially sensitive data sent to or received from Tencent Cloud. Use a dedicated AppKey, avoid putting secrets or regulated personal data in messages or metadata unless approved, and prefer safer secret handling than passing the key directly on the command line.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script explicitly parses and prints `thought` events, which may expose model reasoning traces or internal debugging content to users or logs. Even if the upstream API provides these events, surfacing them by default increases the risk of leaking sensitive prompts, internal chain-of-thought-like content, or other unintended metadata beyond the core chat response.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
In raw mode, the client prints every SSE line directly to stdout without filtering by event type or sensitivity. This can expose full server responses, including metadata, errors, references, or reasoning/debug output, which may then be captured in terminal history, logs, or downstream tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented request body sends user content, visitor identifiers, session identifiers, custom variables, and optional file URLs to a remote Tencent Cloud API without any visible privacy warning, consent language, or data-handling guidance. This can expose sensitive user prompts or linked documents to an external service unexpectedly, especially in environments where operators assume local-only processing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference explicitly documents sending `visitor_biz_id` and potentially other user-associated fields to a Tencent Cloud remote endpoint, but it does not warn skill users that these values may contain personal or business-sensitive data. In an agent skill context, missing privacy guidance increases the chance that downstream integrators will transmit identifiers or sensitive metadata without consent, minimization, or policy review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow example includes a concrete `UserID` inside `custom_variables`, normalizing the practice of forwarding business/user identifiers to the external service without any caution about sensitivity. Examples strongly influence implementation, so this can lead developers to pass personal, account, or order data into third-party processing flows by default.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script sends chat content plus optional custom variables, labels, and file metadata to a remote Tencent Cloud endpoint, but it does not clearly warn users that potentially sensitive data will leave the local environment. In a skill context, this matters because operators may pass personal, internal, or regulated data assuming the tool is only performing local processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Accepting the AppKey on the command line exposes the credential to shell history, process listings, and debugging tools on the host system. This is a common secret-handling weakness that can lead to credential disclosure, especially on shared machines or CI environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal