ClawHub

餐厅推荐交叉验证

Security checks across malware telemetry and agentic risk

Overview

This skill is not plainly malicious, but it should be reviewed because it stores third-party login sessions and some recommendation paths can return simulated data while being presented as validation.

Install only if you are comfortable with an interactive setup that installs browser automation, logs you into Dianping and Xiaohongshu, and saves reusable local session data. Treat the sessions directory and any ClawHub token as secrets, do not rely on server/mock outputs for real decisions, and review whether scraping these platforms is acceptable for your account and use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation describes capabilities that imply network access, scraping, local configuration changes, proxy use, and script execution, yet no explicit permissions are declared. This creates a transparency and least-privilege problem: users and hosting systems may authorize or run the skill without understanding it can access the network, invoke shell tooling, and read/write local files for config, cookies, or session state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose is restaurant cross-checking, but the referenced behavior extends into automated browser scraping, persistent session handling, login prompting, local browser profile storage, and deployment/publishing helpers. That mismatch is dangerous because users may consent to a simple recommendation tool while the skill actually handles authenticated sessions and stores sensitive local state, materially expanding the attack surface and privacy risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The implementation document describes a materially broader capability than the stated skill purpose: automated scraping via Playwright, login/session management, persistent authenticated state, and install tooling. This is dangerous because it expands the operational and trust boundary from passive cross-referencing into credential-adjacent browser automation against third-party platforms, increasing risk of unauthorized data access, account misuse, and policy evasion without clear disclosure in the skill metadata.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security section claims the tool does not handle sensitive information, yet elsewhere it explicitly states that Playwright persistent context stores cookies and localStorage and that sessions are saved under a sessions directory. Authenticated session tokens are sensitive secrets; mischaracterizing them can cause users to underestimate account-compromise risk if those files are exposed, copied, or reused.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document markets the skill as cross-validating restaurant quality from Xiaohongshu and Dianping, but later discloses that the server version uses only simulated data and is not suitable for real decisions. This is a true integrity/deception issue because users or downstream agents may rely on fabricated outputs as if they were verified external data, leading to incorrect decisions and unsafe automation behavior.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The early documentation presents the skill as a normal recommendation tool that an AI can directly call, while later sections state that the current version only generates simulated test data. This contradiction can mislead users and orchestrating agents into treating synthetic recommendations as trustworthy outputs, which is a security-relevant provenance problem even though it is not code execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file claims to support automatic cross-referencing of Xiaohongshu and Dianping data, but the core search path fabricates restaurant and engagement data locally instead of retrieving real platform content. In a recommendation skill, this is dangerous because users may rely on apparently validated outputs that are actually synthetic, leading to deception, bad decisions, and downstream misuse of fabricated confidence signals.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring states that the script uses requests and BeautifulSoup for server-friendly scraping, but the executable behavior never performs the advertised scraping/parsing and only emits mock-derived results. This mismatch increases the likelihood that operators, reviewers, or downstream agents will misunderstand the trustworthiness and provenance of the outputs.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill advertises automatic Dianping fetching and cross-platform validation, but this code returns fabricated mock records instead of live platform data. In a decision-support skill, this is dangerous because users and downstream agents may treat synthetic results as trustworthy evidence, leading to false recommendations and integrity failures.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The surrounding comments describe production scraping concerns, but the implementation only generates mock restaurant entries. This mismatch can mislead reviewers, operators, or calling components into believing the skill performs real validation, creating a trust and transparency problem that can propagate incorrect outputs.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The function is presented as fetching Xiaohongshu restaurant data, but the active code path returns fabricated mock data while printing that it is performing a live search. In this skill context, that is dangerous because downstream cross-checking and confidence scoring can be built on false evidence, misleading users into trusting recommendations that were never validated against the claimed source.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The public convenience function claims to fetch Xiaohongshu data, but it delegates to logic that only generates mock test data. This misrepresentation increases the risk that other components, agents, or users will treat synthetic output as real platform intelligence, undermining the trustworthiness of the restaurant-review cross-check skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The setup script explicitly prompts the user to log into Dianping and Xiaohongshu, then invokes a session manager to save authenticated browser state for later automated use. Persisting authenticated sessions expands the skill from public review cross-checking into credentialed account automation, which increases the risk of account misuse, leakage of cookies/tokens, and access to non-public data if those session files are exposed or mishandled.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script includes account-login session management for both platforms without making clear why authenticated access is needed for the stated purpose of validating restaurant recommendations. This creates unnecessary privileged capability in the skill, increasing the attack surface and the chance that stored sessions could be reused for unintended actions under the user's account.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The document states that the AI will automatically invoke the skill whenever a message mentions a location, food, and a recommendation request. Those conditions are broad enough to match ordinary conversation, causing unintended tool execution and unnecessary access to external data sources or browser-backed automation. In this skill’s context, automatic scraping/cross-checking makes over-triggering more risky than a purely local read-only helper.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users to authenticate on a server with an API token and even shows passing the token directly on the command line, but it does not mention that the token is sensitive or how to protect it. This can expose credentials through shell history, process listings, logs, or shared server environments, leading to unauthorized publishing or account misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quickstart directs users to authenticate to third-party platforms and states that login state will be saved for 1–2 weeks, but it does not explain where session artifacts are stored, how they are protected, or what access they grant if copied. Saved browser sessions often function as bearer tokens, so local compromise, accidental inclusion in backups, or repository leakage could let an attacker reuse accounts without needing passwords.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to authenticate with a token passed directly on the command line, but provides no warning about secure handling of credentials. Command-line tokens can be exposed through shell history, process listings, screen recordings, logs, or copied documentation, which creates a realistic credential leakage risk during publication workflows.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger examples are broad natural-language phrases that overlap with ordinary user conversation, increasing the chance of unintended automatic invocation. In an agent environment, overly generic activation criteria can cause the skill to run in contexts where the user did not explicitly request it, leading to unnecessary data processing, confusion, or propagation of the simulated-output problem described elsewhere in the guide.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states that Xiaohongshu access may require authentication cookies, but it provides no warning about secure handling, storage, reuse, or exposure of those cookies. Account cookies are effectively bearer credentials; if stored insecurely, logged, copied into config files, or shared across tools, they can enable account takeover, unauthorized access, or privacy breaches.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code launches a persistent Playwright browser context backed by a session directory, which can retain cookies, authentication tokens, and other browsing state across runs. In a scraping skill, this creates privacy and account-misuse risk if operators or users are not clearly informed that persistent session data is stored and reused, especially for a third-party site.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill performs automated access to Dianping without any visible user disclosure or consent flow in this code path. While network access is expected for this skill's purpose, undisclosed automated third-party requests can create privacy, compliance, and trust issues because user queries are sent to an external service implicitly.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Restaurant Review Cross-Check Skill Dependencies

# Web scraping
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Web scraping
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0

# Browser automation (for real data fetching)
Confidence
95% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Web scraping
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0

# Browser automation (for real data fetching)
playwright>=1.40.0
Confidence
95% confidence
Finding
lxml>=4.9.0

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal