ClawHub

生日祝福语

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid birthday-message skill, but it handles payment credentials, local order records, and internal-reasoning disclosure in ways users should review before installing.

Install only if you intentionally want a paid birthday-blessing workflow and trust the configured payee. Before use, remove or ignore the thought-process disclosure instruction, verify the clawtip payment flow, and check where order files and payment credentials are stored and how they can be deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instruction to interact in Chinese 'including your thought process' requests disclosure of hidden reasoning that is unrelated to generating birthday greetings. This can cause leakage of internal deliberations, safety logic, or sensitive intermediate data, expanding exposure beyond the skill's legitimate function.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
该脚本名义上是“生日祝福语生成”技能,但核心逻辑却在创建订单、读取收款方配置、生成加密支付载荷并保存订单信息,明显超出用户可合理预期的功能范围。对一个内容生成类技能来说,隐藏式收费与收款处理会造成误导性收费、未经充分告知的数据处理,以及把用户引导到非预期支付流程的风险。

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
在生日祝福语场景中引入支付载荷加密生成,本身并非必然恶意,但与技能宣称用途缺乏直接关联,且会降低用户和审计方对实际行为的可见性。这里还使用了 SM4 ECB 模式对支付相关明文加密,既掩盖了真实业务行为,也采用了安全性较弱的模式,不利于安全审计与数据保护。

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
create_order(question) 的接口表面接收用户问题,但实际创建的明文支付数据仅包含 orderNo、amount 和 payTo,完全不反映服务内容,容易让调用方误以为订单与用户请求已绑定。这样的实现会导致业务语义不透明,增加错误收费、订单争议以及后续审计困难的风险。

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file implements payment-related configuration loading and persistent order storage, which materially exceeds the advertised purpose of generating birthday greetings. This mismatch is dangerous because users or hosting agents may grant the skill trust and filesystem access based on a benign description, while the code introduces billing and data-retention behavior that can collect or store sensitive transactional information unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill can write and read arbitrary order files under a user-local directory using externally supplied indicator and order number values, despite being presented as a simple greeting generator. Even without obvious code execution, this creates unexpected local persistence and potential tampering or disclosure risks if other components can influence those parameters or rely on the stored data.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
This directive explicitly asks the agent to include its hidden reasoning process in user-visible responses. If followed, the model may disclose internal safety analysis, prompt contents, or decision criteria that attackers can use to evade safeguards or extract sensitive contextual information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
脚本在未体现任何用户提示或确认的情况下,将订单号、金额、问题内容、加密数据和收款方写入存储。对一个看似只是生成祝福语的技能而言,这意味着用户输入和交易相关数据可能被静默持久化,带来隐私、合规和滥用风险。

Ssd 3

High
Confidence
99% confidence
Finding
Telling the model to reveal its full chain-of-thought creates a direct prompt-based data exposure risk. Internal reasoning can contain hidden instructions, security heuristics, and intermediate interpretations that should remain private, and disclosure can materially weaken system defenses.

Ssd 3

High
Confidence
98% confidence
Finding
The repeated instruction increases the likelihood that an agent will prioritize leaking internal deliberation during normal use. Repetition makes the unsafe behavior more persistent and harder for higher-level safeguards to override, especially in a skill that already requests credentials and payment handling.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal