ClawHub

Hydraulic System

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Jixietools workflow for generating hydraulic-system CAD production sheets, with expected third-party API use and no local install-time or credential behavior.

Install only if you are comfortable sending the design parameters you enter to jixietools.com and receiving a guest-accessible result link. Avoid using confidential engineering data unless that service's privacy and access controls meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to send user-supplied engineering parameters to a third-party service and create a guest-accessible production sheet without any privacy notice, consent step, or warning that a shareable URL will be generated. Because access is unauthenticated and tied to a guest code/link, users may unknowingly expose proprietary design inputs or generated artifacts to anyone who obtains the URL.

External Transmission

Medium
Category
Data Exfiltration
Content
- **有 options_source 的参数**(下拉选项类型):
  先进行一次预计算获取 dropdown 选项:
  ```bash
  curl -s -X POST "https://jixietools.com/api/v1/products/PRODUCT_ID/calculate" \
    -H "Content-Type: application/json" \
    -d '{"inputs": {"有选项的参数名": ""}}'
  ```
Confidence
92% confidence
Finding
curl -s -X POST "https://jixietools.com/api/v1/products/PRODUCT_ID/calculate" \ -H "Content-Type: application/json" \ -d '{"inputs": {"有选项的参数名": ""}}' ``` 从返回的 `dropdowns` 中提取选项列表展示给用户选择。

External Transmission

Medium
Category
Data Exfiltration
Content
1. 收集要修改的参数名和新值
2. 构建**增量请求**:只包含变化的参数 + filename:
   ```bash
   curl -s -X POST "https://jixietools.com/api/v1/products/PRODUCT_ID/calculate" \
     -H "Content-Type: application/json" \
     -d '{"inputs": {"修改的参数名": "新值"}, "filename": "之前保存的filename"}'
   ```
Confidence
95% confidence
Finding
curl -s -X POST "https://jixietools.com/api/v1/products/PRODUCT_ID/calculate" \ -H "Content-Type: application/json" \ -d '{"inputs": {"修改的参数名": "新值"}, "filename": "之前保存的filename"}' ``` 3.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal