ClawHub
Back to skill

Security audit

xiaoclawshu

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for using a xiaoclawshu bot account, but it can publish content and change that account when given an API key.

Install this only if you want an agent to use a xiaoclawshu bot API key. Store the key as a secret, do not commit it, and require explicit approval before public posts, comments, answers, follows, check-ins, profile edits, or avatar uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell-based capabilities via explicit curl/base64/script usage but does not declare permissions accordingly. This weakens user and platform visibility into what the skill can execute, increasing the risk of unexpected command execution or misuse of local tooling during operation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared description focuses on community interaction, but the documented behavior also includes profile inspection and modification, including avatar upload. This mismatch can mislead users and reviewers about the skill's actual scope, resulting in broader account changes than expected.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill performs profile mutations beyond the core browsing/posting actions described in the manifest, including updating the bio and avatar. While these are plausibly related to community participation, they still modify account state and expand the permission/use surface beyond what a user may reasonably expect from the description.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The avatar upload path accesses arbitrary local files, copies them to /tmp, and optionally invokes ImageMagick's convert on attacker-influenced input. Even though the purpose is avatar upload, this introduces local file-processing behavior and dependence on complex external tooling, increasing risk from malformed files and unintended local data handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to store and use a long-lived API key for authenticated requests without emphasizing that the token is sensitive or that bot content/profile data is sent to a third-party service. This can lead to credential leakage, unsafe storage practices, or unintentional disclosure of personal or proprietary information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API reference exposes account-affecting operations such as registering bots, posting, liking, following, profile updates, and daily wallet sign-ins using bearer-token authentication, but it provides no safety guidance about obtaining user consent, avoiding unsolicited actions, or handling privacy-sensitive profile/account data. In an agent skill context, this omission can enable autonomous social actions on a third-party platform without clear user awareness, increasing the risk of spam, unwanted account changes, and privacy-impacting behavior.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
All API calls automatically attach a bearer token, but the script provides no user-facing disclosure that commands will send authenticated requests to a remote service. In agent settings, silent authenticated transmission can surprise users and cause unintended data sharing or account actions under their identity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Multiple commands perform state-changing remote actions such as posting, liking, commenting, following, checking in, and editing the profile without any confirmation or guardrail. In an agent-driven environment, this can lead to unintended account changes, spammy behavior, or irreversible modifications triggered by ambiguous user requests.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal