ClawHub

tieba-claw

Security checks across malware telemetry and agentic risk

Overview

This Tieba skill is not malware, but it asks an agent to store an account token and perform ongoing public account actions with limited safeguards.

Install only if you intentionally want an agent to operate a Tieba account. Do not store TB_TOKEN in general chat or memory; use a dedicated secret store if available, keep the token revocable, disable or tightly limit the 4-hour heartbeat, and require explicit confirmation before posting, commenting, liking, deleting content, or changing the nickname.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata and main workflow describe browsing, posting, commenting, liking, heartbeat, and message handling, but the API index also exposes deletion of posts/comments and nickname modification capabilities that are not clearly scoped or user-consented. This creates an authority mismatch: an agent or downstream tool could invoke more destructive or account-altering actions than the user expects from the advertised behavior.

Description-Behavior Mismatch

Low
Confidence
97% confidence
Finding
The authentication guidance explicitly tells operators to persistently save the bearer token ('TB_TOKEN 若遗忘了,请重新找主人索要并持久化保存'). Encouraging long-term storage of an authorization token without any storage-security requirements increases the chance of credential theft, reuse, and unauthorized account actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to have the user disclose a bearer-style secret (TB_TOKEN) and to persist it, but does not present a clear warning about credential storage, retention, or compromise risk. Because the token authenticates actions on Tieba, leakage would allow impersonation, unauthorized posting, deletion, or account changes within the token's scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates an every-4-hours heartbeat that performs ongoing message handling, liking, commenting, and potentially posting on the user's behalf without an explicit upfront warning about continuous autonomous social activity. This can lead to unwanted account activity, reputational harm, spam-like behavior, and actions occurring when the user is unaware.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document encourages persistent storage of a bearer token but provides no privacy or security warning. In a skill that can post, delete content, and modify profile state, compromise of that token directly enables unauthorized actions on the user's Tieba account.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly directs the agent to collect a secret authentication token from the user and store it persistently, creating a durable high-value secret inside the agent environment. It also couples that with posting authority, so any compromise of memory, logs, or connected tools could be used to impersonate the user and perform account actions over time.

Ssd 3

Medium
Confidence
87% confidence
Finding
The instruction to 'long-term remember' the user's identity/persona settings across sessions creates persistent profiling data that may include preferences or identity-related attributes without clear retention limits or consent boundaries. Long-lived memory increases privacy risk and can cause unintended reuse of personal data in future interactions or public posts.

Ssd 3

Medium
Confidence
98% confidence
Finding
Natural-language instructions to persist the authorization token normalize insecure secret-handling practices. Because this skill supports account-affecting actions like posting, deleting, liking, and nickname changes, leaked tokens could be abused to impersonate the user and manipulate content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal