ClawHub

Aiclient2api Usage

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its usage-checking purpose, but it silently reads a local password file and authenticates to a localhost service when users may expect a read-only usage check.

Install only if you are comfortable letting the skill read ~/web/AIClient-2-API/configs/pwd and usage-cache.json, authenticate to the local AIClient2API service, refresh usage data, and print account and billing-related usage details. Prefer directly reading the cache file or reviewing the scripts first if you only want a read-only summary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to run shell commands (`bash ...`, `cat ...`) but declares no permissions, creating a capability mismatch that can bypass user expectations and policy controls. In this context, the shell access is used to read local files containing account and potentially sensitive operational data, so the undeclared capability is materially relevant rather than harmless documentation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond passive usage checking and describes using a password from `configs/pwd`, authenticating to a local service, and triggering refresh actions. That is a significant expansion from the stated purpose and can lead an agent to access credentials and perform state-changing operations on a local authenticated service without clear consent or disclosure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script accesses a locally stored password file and uses that credential to authenticate automatically, which expands the skill from passive usage display into credential handling. Even though it targets localhost, this still grants the skill access to sensitive authentication material and creates unnecessary exposure if the script, logs, environment, or downstream service are compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The notes explicitly tell the operator to obtain a password from `configs/pwd`, revealing a sensitive credential source with no warning or access restrictions. In an agent-skill setting, documenting credential locations can prompt automated or semi-automated secret retrieval from the local filesystem, increasing the risk of credential exposure and misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently reads a password from disk and submits it in a login request without user awareness or consent, which is unsafe secret-handling behavior. This is especially concerning in an agent skill because the stated purpose is usage monitoring, not credential collection, so the credential access is broader than users would reasonably expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints sensitive account metadata directly to stdout, including email address, subscription tier, quota consumption, overage policy, and current charges. In an agent skill context, stdout is often surfaced back to the requesting user or logged by orchestration systems, so this can disclose billing and account information without any access check, redaction, or explicit confirmation.

Missing User Warnings

High
Confidence
99% confidence
Finding
If jq is unavailable, the script falls back to dumping the entire usage cache JSON to stdout. That raw cache may contain significantly more sensitive data than the formatted path, including tokens, internal identifiers, full account records, or other fields not intended for user exposure, making this a stronger data-leak path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal