ClawHub

jike-publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is aimed at posting to Jike, but the supplied evidence shows it may report successful posts and persist content locally without actually performing or verifying publication.

Review carefully before installing. This skill appears intended to operate a real Jike account and keep local posting state, but the evidence suggests it may mark posts as successful without actually posting them. Only use it if you are comfortable checking the final Jike post manually, confirming every publish action yourself, and clearing or disabling local state that stores post text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation indicates use of persistent local state (`memory/jike-state.json`) but does not declare permissions for file read/write. Undeclared filesystem access weakens transparency and consent boundaries, and in this case includes storing the user's last post content, which can expose sensitive or private text to other local components or users.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior does not match the advertised purpose: it claims Jike publishing via browser automation, but also describes persistent local logging, rate limiting, and a stateful workflow, while not actually containing executable publishing logic in this file. This mismatch is dangerous because users and orchestration systems may grant trust or invoke the skill under false assumptions, leading to unintended data retention or public posting behavior without adequate disclosure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script and manifest claim to publish to Jike, but the implementation only prints a workflow and returns success without performing any browser automation. This is a deceptive capability mismatch that can cause downstream agents or users to believe content was posted when it was not, leading to integrity and workflow failures.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function documentation explicitly says it posts content to Jike, but the body only logs steps and reports success. This misrepresentation is dangerous because other components may rely on the documented side effects and treat unpublished content as already delivered.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script writes publish state and prints a success message based solely on a stub function that always returns True. This creates false audit/state data, can suppress retries, and may cause users or agents to lose content or skip necessary posting actions under the false assumption that publication succeeded.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The quick-start instructions perform actions that modify external state by publishing to a live social platform, and elsewhere also mention updating a local state file, without an explicit warning or confirmation requirement. In an agent setting, omitting a clear notice about side effects increases the risk of unintended posting or local data modification when the instructions are followed automatically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill facilitates posting to a real social-media account through an authenticated browser session, but the description does not explicitly warn that execution can publish content publicly on the user's behalf. In this context, missing consent language is materially risky because a user may interpret the skill as draft assistance rather than an action that creates irreversible public content.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documented state file stores `lastContent`, which may contain sensitive personal text, but no privacy warning or retention guidance is provided. Although the impact is local rather than remote, this creates unnecessary exposure of user-generated content in persistent storage and can surprise users who did not consent to content logging.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples demonstrate a real side effect workflow: publishing content to a live social platform and persisting local state, but they do not surface any warning, confirmation, or environment-safety guidance. In an agent-skill context, example code often gets copied into production logic, so lack of explicit guardrails increases the risk of unintended posting and silent local data retention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal