Hotspot Aggregator

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but its optional WeChat sending path uses unsafe shell command construction and its scripts write reports to hard-coded OpenClaw paths, so users should review it before installing.

Install only if you are comfortable reviewing the scripts first. Basic fetching and report generation are aligned with the advertised purpose, but avoid --send and do not schedule publishing until the send command is changed to a non-shell argument-array API, recipient/message values are validated, and output paths are made configurable and contained within the skill's own data directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly documents capabilities requiring network access, shell execution, local file writes, and likely environment/config access, yet no explicit permissions are declared. This creates a transparency and consent problem: users and platforms cannot accurately assess or constrain the skill's side effects before installation or execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated purpose is hotspot aggregation/report generation, but the documentation also introduces proactive message delivery, WeChat-targeted notifications, and persistent scheduled execution. This mismatch is dangerous because users may install a seemingly read-only data tool that actually performs ongoing outbound actions and contacts external recipients.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Publishing to a public account and storing content in a vector database materially expands the skill's data flow beyond simple aggregation. These extra sinks can expose scraped or processed content to third parties, increase retention, and create unanticipated privacy, compliance, or data governance risks.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The script writes fetched content to a hard-coded absolute path under another extension/skill directory, creating an unintended cross-component write primitive. In an agent environment, this can overwrite or plant data in a location consumed by other tools, increasing the risk of integrity issues, data poisoning, or unexpected influence on downstream automation.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script builds a shell command with untrusted data (`notifyUser` from config and report content derived from external hotspot data) and passes it to `execSync`, creating a command-injection risk. The current escaping only handles double quotes and does not make shell execution safe, so crafted content could execute arbitrary commands under the user's account when `--send` is used.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic publishing and external storage are side effects with security and privacy implications, but the documentation does not clearly warn users that data may be transmitted off-system on a schedule. Hidden or underexplained side effects increase the chance of accidental disclosure, spammy behavior, or policy violations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Requesting a WeChat identifier in configuration without clarifying how it will be used, stored, or transmitted creates a privacy and consent gap. Contact identifiers are sensitive operational data, and undocumented use can enable unintended messaging or disclosure to third-party systems.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The installer writes a persistent configuration file under the user's home directory automatically and without prompting or clearly warning that it is creating lasting state. While the contents are not overtly sensitive or malicious, silent persistence can surprise users, affect future behavior of the skill, and normalize installers modifying user-scoped state without consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal