ClawHub

Yufluentcn Record Outcome

Security checks across malware telemetry and agentic risk

Overview

It records sales and traffic results as advertised, but its token-sending behavior is too broadly configurable and one bundled helper can do more than the description promises.

Review before installing. Use this only if you trust Yufluent with your tk-* token and the business metrics you provide. Set TOKENAPI_BASE_URL only to a trusted endpoint, preferably the intended Yufluent API, and have the agent confirm the run_id, event type, and numbers before it records an outcome.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'url' from os.getenv (line 107, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = skill_run_url(base_url or os.getenv("TOKENAPI_BASE_URL", ""), skill_id)
    try:
        resp = requests.post(
            url,
            json=payload,
            headers={
Confidence
97% confidence
Finding
resp = requests.post( url, json=payload, headers={ "Authorization": f"Bearer {key}", "Accept": "application/json",

Tainted flow: 'url' from os.getenv (line 107, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = agent_outcomes_url(base_url or os.getenv("TOKENAPI_BASE_URL", ""))
    try:
        resp = requests.post(
            url,
            json=payload,
            headers={
Confidence
97% confidence
Finding
resp = requests.post( url, json=payload, headers={ "Authorization": f"Bearer {key}", "Accept": "application/json",

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill metadata declares only environment requirements via the OpenClaw install block, but the documented workflow clearly relies on reading local environment or .env data, executing a local script, and making outbound network requests to a remote API. This capability mismatch can undermine least-privilege review and allow operators or automated systems to approve a skill without understanding that it can access credentials and transmit data externally.

Description-Behavior Mismatch

High
Confidence
84% confidence
Finding
The skill metadata describes an outcome-reporting helper that should not invoke /v1/skills/*/run, yet the module exposes a general skill execution client. This broadens capability beyond the declared purpose and can enable unintended remote actions under the same bearer token, undermining least privilege and increasing the chance of misuse or deceptive packaging.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README suggests triggering outcome recording from broad user statements like 'Listing 上架了' or '这周卖了 N 单' as long as a prior run_id exists in the conversation. That loose natural-language scope can cause the agent to invoke this skill on ambiguous conversational context, leading to incorrect or unauthorized business telemetry being written to the backend.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad conversational phrases such as '登记一下' and '帮我记录效果', which could plausibly appear in ordinary chat and cause the skill to activate without sufficiently specific user intent or validated context. In this skill, unintended activation is more concerning because activation leads to recording analytics/outcome data to an external service, which can create incorrect telemetry or leak business metrics.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal