ClawHub

Dajiala Article Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent helper for fetching WeChat public-account article links through the Dajiala API and saving them to Excel, with no evidence of hidden or destructive behavior.

Install only if you are comfortable using a Dajiala API key, sending the public-account IDs from the spreadsheet to Dajiala, and creating Excel exports in the configured local directory. Avoid using confidential account lists unless you have reviewed the API’s data-handling terms and adjusted the input/output paths for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata indicates it uses environment variables and makes network calls, but it declares no permissions or equivalent user-facing authorization boundaries. This creates a transparency and governance gap: users and host systems may not realize the skill can access secrets and transmit data externally, increasing the chance of unreviewed secret use or unintended data egress.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match common requests like fetching article lists, which may cause the skill to activate outside the user's intended context. Unnecessarily broad activation is dangerous because this skill performs network access and writes files, so accidental invocation can lead to unintended external requests and local file creation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill writes an Excel file to a default directory on disk, but the description does not clearly warn users that local files will be created at a predefined path. This is risky because users may unknowingly cause persistence of potentially sensitive article data in a shared or predictable location, leading to accidental disclosure, overwrites, or operational surprises.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill references an API key and external API usage but does not clearly warn that data will be transmitted to a third-party service. This matters because users may provide公众号 lists or related metadata without understanding that the information will leave the local environment, creating privacy, compliance, and data-handling risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal