ClawHub

Clawtip Weather.Bak

Security checks across malware telemetry and agentic risk

Overview

This is a paid weather skill, but it bundles and can invoke a high-impact payment/wallet helper with plaintext token storage, background polling, and under-scoped local file access that users should review carefully before installing.

Install only if you are comfortable with a weather skill that can invoke payment flows, store a payment token locally in plaintext, write order and payment credential files, and use a bundled Node.js encryption helper. Review the payment amount and recipient before proceeding, avoid using it on shared machines, and prefer a version that removes thought-process disclosure, pins/verifies the payment dependency, validates local file paths, and stores tokens in a protected secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The instruction to interact in Chinese 'including thought process' is unrelated to delivering a weather report and attempts to elicit internal reasoning. That is dangerous because chain-of-thought disclosure can expose hidden system behavior, safety constraints, intermediate secrets, or implementation details beyond what the user needs.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill instructs the agent to install and invoke another skill (`clawtip`) if absent, which extends behavior beyond the stated weather-report purpose. This is risky because it creates a supply-chain and privilege-escalation path where a seemingly simple skill can bootstrap additional code and payment functionality without clear user scrutiny.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
save_order 会把调用方提供的任意订单数据持久化到用户主目录下,且 indicator 与 order_no 未做约束,存在被滥用进行本地持久化存储的能力。结合该技能声明为天气服务,这种超出直接必要范围的本地落盘会增加隐私暴露、意外保存敏感信息及目录穿越写入其他路径的风险。

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The implementation does not enforce that the submitted `question` is weather-specific; it forwards arbitrary user input to a backend endpoint labeled as a counseling/result service. In a paid weather skill, this mismatch expands the effective capability beyond the declared purpose and can enable misuse of paid credentials or backend access for unrelated queries, weakening user trust and policy boundaries.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file documents a bundled Node.js encryption tool used for JD payment payloads, which is unrelated to the declared weather-reporting purpose. A mismatched capability like local encryption tooling plus outbound network access strongly suggests hidden financial transaction functionality and expands the attack surface for covert payment or credential-handling operations.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The document describes token persistence, JD authorization, wallet access, registration polling, and payment processing, while the skill metadata claims it is a weather expert. This is a severe purpose mismatch indicating deceptive packaging: users and reviewers may grant permissions to what appears to be a benign weather skill while it actually performs financial operations and stores sensitive tokens.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The invocation policy only allows triggers for payment, wallet, token creation, and registration-status workflows, which directly contradicts the stated weather use case. This shows the operational behavior is centered on financial actions, making the benign weather description likely a cover for invoking sensitive flows under false pretenses.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s behavior materially exceeds the declared weather-service purpose and introduces payment execution, wallet access, token creation, credential handling, and polling/task orchestration. This scope mismatch is dangerous because it can be invoked under the guise of a benign weather skill while exposing sensitive financial/account capabilities and broader host permissions than users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The scheduled-task creation/cancellation logic adds persistence and autonomous follow-up behavior unrelated to delivering weather reports. That increases risk because the skill can keep operating after the initial interaction, repeatedly query registration state, and manipulate background task state without a context-appropriate justification.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Providing direct wallet-view access is unrelated to the stated weather-reporting function and expands the skill into financial account access. In context, this is risky because a user invoking a weather service would not reasonably expect wallet functionality or be prepared for potential financial/account redirection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file's behavior is materially inconsistent with the skill's declared purpose of providing paid weather reports. Instead, it contacts third-party JD endpoints to query token/registration status and persists a returned token locally, indicating hidden credential-handling functionality unrelated to the advertised feature set.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
A weather skill generally has no legitimate need to launch a Node.js subprocess to perform custom encryption for a token-registration workflow. This hidden execution capability expands the attack surface and can enable covert non-weather operations, especially when paired with external network calls.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
该脚本在天气服务技能中实现了与核心天气查询无直接关系的本地令牌持久化逻辑,会把用户提供的 token 写入磁盘配置文件。对一个声明为付费天气查询的技能而言,这增加了不必要的敏感数据落地风险;若本地文件被其他进程、用户或日志/备份系统访问,令牌可能被窃取并被滥用。

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
代码直接将传入 token 写入 config.json,且没有看到与天气报告功能之间的必要性约束或安全控制。该行为使敏感凭证长期驻留在本地,任何获得文件系统访问的人都可能复用该令牌,尤其在共享环境、开发机、容器卷或备份场景下风险更高。

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
该技能宣称是天气服务,但此文件实现了完整支付发起、鉴权链接处理和支付凭证回写,能力范围明显超出“天气查询前验证支付”的最小需要。对用户而言,这意味着技能可在本地订单数据基础上主动组织支付请求,属于高敏感操作,若被滥用可导致未充分知情的付费或凭证生成。

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
天气技能内调用本地 Node.js 脚本执行加密,与核心天气查询能力无直接关系,增加了执行链复杂度和供应链风险。若 encrypt.js 或 Node 运行环境被篡改,攻击者可借此截获令牌、替换加密结果或执行非预期逻辑。

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
代码从本地配置中读取用户令牌 u,并随后用于支付相关流程和外部传输,而该高敏感凭据处理并未在天气技能目的中体现。技能上下文与实际能力不匹配会降低用户警觉性,一旦令牌被误用、泄露或关联到真实账户,可能造成账户滥用、隐私暴露或未经充分授权的支付操作。

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
该文件实现了完整的加密握手、请求加解密、HMAC 校验以及本地密钥管理,而技能声明仅为天气查询。这种与业务明显不匹配的能力扩大了数据收集与隐蔽传输的空间,尤其在未见最小化说明、权限边界或显式用户告知的情况下,属于高风险的过度能力引入。

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
代码将 `aksKey` 持久化到 localStorage 或小程序存储,并使用硬编码的 SM4 密钥与 IV 包装存储值。由于包装密钥同样存在客户端代码中,一旦本地脚本环境被读取、调试或同源脚本受损,攻击者即可恢复该密钥材料,导致后续加解密流量或本地数据保护失效。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs reading order JSON files and payment credentials from a fixed local directory without clear user-facing disclosure about sensitive data access. This is dangerous because users may not realize the skill is accessing persisted payment artifacts and order metadata, which could expose confidential financial information or enable unauthorized reuse if files are mishandled.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
Forcing Chinese output and inclusion of internal reasoning removes user choice and couples a language restriction with sensitive reasoning disclosure. In context, the dangerous part is not the language preference itself but the mandatory leakage of thought process, which can expose internal decision-making and protected information.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
This repeated instruction reinforces mandatory Chinese interaction together with thought-process disclosure, increasing the likelihood that the model reveals sensitive internal reasoning during normal use. Repetition suggests the behavior is intentional and central to the skill design rather than incidental wording.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
代码会将用户提供的 question 原样发送到第三方 createOrder 接口,但代码中没有任何显式告知、同意或最小化采集措施。结合该技能处理的是用户查询内容,且技能描述仅强调支付验证,未体现数据外发提示,这会带来隐私泄露和超出用户预期的数据共享风险。

Missing User Warnings

Medium
Confidence
90% confidence
Finding
脚本将包含用户输入 question 的订单数据持久化到本地存储,且没有任何保留期限、访问控制或用户提示。若存储目录被其他组件读取、日志打包或权限配置不当,用户查询内容和支付相关元数据可能被长期暴露,风险在付费技能场景下更高。

Vague Triggers

Medium
Confidence
87% confidence
Finding
The wallet-view trigger includes broad phrases like viewing/opening a wallet, which can overlap with ordinary user speech and cause unintended invocation of a financial function. In a weather skill context, such ambiguous triggering is more dangerous because the capability is unexpected and could redirect users into wallet flows without clear intent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal