ClawHub

Agent Reach.Skip

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real multi-platform internet tool, but its default setup can change the host system and read or store browser session cookies.

Install only after reviewing the setup path. Prefer safe or dry-run mode first, avoid automatic browser-cookie import unless you understand which accounts will be read and stored, use isolated environments for setup, and require explicit confirmation before any posting, commenting, package installation, or credential-handling step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (35)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Use NodeSource setup script without invoking a shell pipeline.
            with tempfile.NamedTemporaryFile(delete=False, suffix=".sh") as tf:
                script_path = tf.name
            subprocess.run(
                ["curl", "-fsSL", "https://deb.nodesource.com/setup_22.x", "-o", script_path],
                capture_output=True, timeout=60,
            )
Confidence
93% confidence
Finding
subprocess.run( ["curl", "-fsSL", "https://deb.nodesource.com/setup_22.x", "-o", script_path], capture_output=True, timeout=60, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
["curl", "-fsSL", "https://deb.nodesource.com/setup_22.x", "-o", script_path],
                capture_output=True, timeout=60,
            )
            subprocess.run(
                ["bash", script_path],
                capture_output=True, timeout=120,
            )
Confidence
98% confidence
Finding
subprocess.run( ["bash", script_path], capture_output=True, timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pkgs.append("miku_ai")
        try:
            cmd = [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q"] + pkgs
            subprocess.run(cmd, capture_output=True, encoding="utf-8", errors="replace", timeout=120)
            # Verify
            ok = True
            try:
Confidence
84% confidence
Finding
subprocess.run(cmd, capture_output=True, encoding="utf-8", errors="replace", timeout=120)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        try:
            os.makedirs(tools_dir, exist_ok=True)
            subprocess.run(
                ["git", "clone", "--depth", "1",
                 "https://github.com/bzd6661/wechat-article-for-ai.git", wechat_dir],
                capture_output=True, encoding="utf-8", errors="replace", timeout=60,
Confidence
82% confidence
Finding
subprocess.run( ["git", "clone", "--depth", "1", "https://github.com/bzd6661/wechat-article-for-ai.git", wechat_dir], capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("     https://nodejs.org/ or: curl -fsSL https://fnm.vercel.app/install | bash")
            return
        try:
            subprocess.run(
                ["npm", "install", "-g", "mcporter"],
                capture_output=True, encoding="utf-8", errors="replace", timeout=120,
            )
Confidence
83% confidence
Finding
subprocess.run( ["npm", "install", "-g", "mcporter"], capture_output=True, encoding="utf-8", errors="replace", timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
["dpkg", "--print-architecture"],
                    capture_output=True, encoding="utf-8", errors="replace", timeout=10,
                ).stdout.strip() or "amd64"
                subprocess.run(
                    ["curl", "-fsSL", "https://cli.github.com/packages/githubcli-archive-keyring.gpg", "-o", keyring_path],
                    capture_output=True, timeout=60,
                )
Confidence
87% confidence
Finding
subprocess.run( ["curl", "-fsSL", "https://cli.github.com/packages/githubcli-archive-keyring.gpg", "-o", keyring_path], capture_output=True, tim

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        if shutil.which("npm"):
            try:
                subprocess.run(
                    ["npm", "install", "-g", "xreach-cli"],
                    capture_output=True, encoding="utf-8", errors="replace", timeout=120,
                )
Confidence
82% confidence
Finding
subprocess.run( ["npm", "install", "-g", "xreach-cli"], capture_output=True, encoding="utf-8", errors="replace", timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("  ✅ undici already installed (Node.js proxy support)")
        else:
            try:
                subprocess.run([npm_cmd, "install", "-g", "undici"], capture_output=True, encoding="utf-8", errors="replace", timeout=60)
                print("  ✅ undici installed (Node.js proxy support)")
            except Exception:
                print("  -- undici install failed (optional — xreach may not work behind proxies)")
Confidence
78% confidence
Finding
subprocess.run([npm_cmd, "install", "-g", "undici"], capture_output=True, encoding="utf-8", errors="replace", timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
                    env["AUTH_TOKEN"] = auth_token
                    env["CT0"] = ct0
                    result = subprocess.run(
                        [xreach, "search", "test", "-n", "1"],
                        capture_output=True, encoding="utf-8", errors="replace", timeout=15,
                        env=env,
Confidence
88% confidence
Finding
result = subprocess.run( [xreach, "search", "test", "-n", "1"], capture_output=True, encoding="utf-8", errors="replace", timeout=15,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises broad internet functionality and includes shell, network, file read/write, and environment capabilities, but no explicit permission declaration or user-facing constraint model. In an agent setting, undeclared powerful capabilities increase the chance of silent execution of networked commands, local file access, and configuration changes without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is general web search/read/interact, but the observed behavior extends into package installation, git cloning, local config management, cookie extraction, uninstallation, and update checks. This mismatch is dangerous because users and orchestrators may invoke the skill expecting simple retrieval while it performs privileged system modifications and accesses sensitive local authentication material.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The WeChat section explicitly recommends a tool that bypasses anti-bot protections, which introduces legal, policy, and abuse risk beyond ordinary content reading. In a general-purpose agent skill, embedding anti-bot bypass instructions normalizes evasion techniques and may cause the agent to access services in ways the user did not realize were high-risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The installer automatically attempts to import cookies from local browsers for multiple platforms during install, which is credential harvesting behavior and goes beyond a user simply enabling web search. Because cookies often grant authenticated session access, silently collecting them during installation creates a substantial privacy and account-compromise risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The configure command advertises auto-extracting ALL platform cookies from supported browsers, which is broader than necessary for normal web research and resembles credential collection tooling. In an agent skill, this greatly increases the risk of unauthorized session capture and account misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section performs broad system-level installation, package source changes, npm global installs, apt/brew operations, and external setup execution, far exceeding the expected scope of a web-access skill. Such behavior increases supply-chain, privilege, and host-integrity risks and can materially change the user's system outside the core function promised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The installer writes into multiple external agent-framework skill directories and even creates a default skill path if none exists. This persistence and cross-environment modification broadens the package's reach beyond web functionality and may surprise users or establish unwanted integration points.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module adds local browser cookie extraction, which is credential harvesting functionality rather than ordinary web search or page-reading behavior. In this skill context, cookies can grant authenticated access to third-party accounts, so bundling this capability into an internet/search skill materially increases risk and broadens access beyond the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation implies targeted extraction for supported platforms, but the implementation collects all XiaoHongShu cookies as a raw header string. That understatement is dangerous because it hides the true breadth of credential and tracking data being harvested, reducing the chance that users or reviewers understand the sensitivity of what is being collected.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad, including common requests like 'search online', 'research', and colloquial phrases in Chinese, making accidental activation likely. Because this skill can invoke shell, network, persistence, and setup actions, unintended routing into this skill expands the chance of unexpected external access or local side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes publishing, commenting, and setup/configuration capabilities, but it does not clearly warn that these actions may transmit data externally, modify accounts, or persist cookies/configuration locally. In account-connected platforms, missing warnings and confirmations can lead to unauthorized posting, leakage of sensitive data, or risky configuration changes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The file performs external command execution against local tooling and a configured MCP endpoint without any user-facing disclosure in the code path. In a skill whose purpose is to interact with online platforms, silently probing local configuration and login status can surprise users, leak environment details, or trigger unintended network/local side effects in contexts that expect read-only capability checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Browser cookie extraction is triggered during install without a strong pre-action warning that the tool is accessing browser-stored authentication data. Even if intended for convenience, failing to obtain informed consent around session-token access is a significant security and privacy issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI help text promotes extracting all platform cookies without emphasizing that these are highly sensitive session credentials. That omission can mislead users into authorizing risky behavior they do not fully understand.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code extracts cookies from local browsers and writes them into configuration without any user-facing warning, consent checkpoint, or confirmation of which accounts will be affected. In this skill context, that is especially dangerous because the skill supports interacting with external platforms, so stolen session cookies could be used to impersonate users, access private data, or perform actions on their behalf.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs the user to copy a Groq API key and send it to the agent, which encourages sharing a sensitive credential through the chat channel instead of entering it locally or via a dedicated secret input flow. This creates avoidable exposure risk because the key may be retained in conversation logs, observed by intermediaries, or reused beyond the user's intent if mishandled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal