ClawHub

Aliyun OSS or Tencent COS oss upload online access

Security checks across malware telemetry and agentic risk

Overview

The skill does its advertised upload job, but it asks users to handle cloud storage keys in risky ways and can publish local or fetched content as public links.

Review before installing. Use a dedicated least-privilege OSS/COS key limited to one bucket and path, configure it through platform secrets or manual local setup rather than chat, and treat every returned link as public on the internet. Avoid using URL upload for internal or sensitive addresses unless the skill adds network-scope protections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document says only scripts/upload.js may access credentials and callers must not modify configuration, but later instructs the platform/agent to write secrets into configuration files. That contradiction creates confused-deputy behavior where an assistant is normalized into handling and persisting secrets despite the stated safety boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is uploading files for online access, but it also accepts arbitrary HTTP(S) URLs, downloads their contents, and republishes them to public cloud storage. This broadens the capability into remote content fetching and reposting, which can be abused to mirror untrusted or sensitive remote content and creates a data-handling behavior users may not expect from the manifest.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code performs arbitrary outbound requests to user-supplied URLs and follows redirects, which is a classic SSRF-style capability. In an agent/runtime context, this can be used to probe internal services, access cloud metadata or intranet-only endpoints, and exfiltrate retrieved content by uploading it to public storage.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation description is broad enough to match ordinary requests about uploading or sharing files, which can cause the skill to trigger in contexts where the user did not intend public cloud publication. In this skill, mis-triggering is especially risky because execution may upload local or fetched content and return a public URL.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'when to use' rules include vague phrases like putting files online or generating shareable links, without clear user-confirmation requirements. Because the skill sets objects to public-read and returns public URLs, ambiguous triggering can directly expose files to the internet when a user may have only wanted local transfer or private sharing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Aliyun upload path explicitly sets the object ACL to public-read, making uploaded content world-accessible, but the script provides no explicit warning or confirmation before transmitting potentially sensitive local or downloaded data to external storage. In a skill intended for agent use, this creates a meaningful risk of accidental data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Tencent COS path also uploads data to external cloud storage with ACL set to public-read, creating the same public exposure risk without an explicit user-facing disclosure. This is especially dangerous because the input may be a local file or remotely fetched content, both of which can contain sensitive data.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs users to paste cloud access keys directly into chat so the assistant can install the skill and write configuration. Sending long-lived cloud credentials through conversational context dramatically increases exposure risk through logging, retention, model access, screenshots, prompt injection, or downstream tool leakage; the surrounding 'privacy' language does not mitigate that core design flaw.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal