ClawHub

macos-suite-readonly

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: read selected macOS Mail, Calendar, Notes, and stock quote data, with privacy-sensitive access users should understand before use.

Install only if you are comfortable letting an agent read selected Mail, Calendar, and Notes information through macOS permissions and return it in JSON. Treat unread email subjects/senders, calendar details, and note snippets as private data, and be aware that stock quote commands contact qt.gtimg.cn with requested symbols.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises itself as a read-only macOS query tool, but its metadata only declares required binaries and does not declare the effective capabilities implied by those binaries: shell execution and likely network access. This creates a transparency and policy-enforcement gap: an agent or platform may approve or invoke the skill without understanding that it can run local commands and fetch remote stock data, increasing the risk of over-privileged execution and unnoticed data exposure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is presented as a macOS read-only local query tool, but it also performs outbound network access to a third-party stock quote service. This expands the trust boundary and creates an undeclared data flow to an external provider, which can violate user expectations, policy constraints, or deployment assumptions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code contains outbound HTTP capability not strictly required for local Mail, Calendar, and Notes queries, increasing attack surface and privacy exposure. Even though the domain is allowlisted, network egress can be inappropriate in restricted environments and may surprise users expecting a purely local read-only skill.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill reads potentially sensitive Mail, Notes, and Calendar content and returns it as JSON without any in-code warning, consent flow, scoping guardrails, or minimization beyond simple limits. In an agent setting, this can expose private local data to downstream systems or prompts without the user clearly understanding what categories of content will be accessed.

Missing User Warnings

Low
Confidence
79% confidence
Finding
User-supplied stock symbols are transmitted to a remote service without any visible disclosure in the code. While stock symbols are generally low sensitivity, this still creates an undisclosed outbound data flow and can reveal user interests or workflow context to a third party.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger pattern "行情" is very broad and can match ordinary conversation about market conditions, pricing, or trends, causing the skill to activate unintentionally. Because the skill can invoke the exec tool and query local macOS apps, accidental activation increases the chance of unprompted access to Mail, Calendar, or Notes data in contexts where the user did not clearly intend it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal