ClawHub

明日Dmp人群投放

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for managing RTQ advertising orders, but it exposes RTQ credentials in console output and plaintext local caches and uses loosely discovered helper code for authenticated API calls.

Review this skill before installing. Use it only in an environment where local files and terminal transcripts are protected, avoid sharing logs, and rotate RTQ/API credentials if they may have been captured. The publisher should redact secrets from output, remove credentials from order caches, avoid loose helper discovery, and make logger installation and retained fields more tightly scoped.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to install an additional authentication skill via terminal command. Automatically introducing new code/components expands the trust boundary and supply-chain risk, especially because the installed skill will manage sensitive API credentials.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill requires checking for and optionally installing a task-logging skill unrelated to the core action of placing or managing RTQ orders. This expands local-data collection and introduces another dependency that can store sensitive targeting and operational history, increasing both privacy and supply-chain exposure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads RTQ credentials from environment variables and multiple local files, expanding its access to secrets beyond what is necessary for simple order creation. In an agent environment, this increases the chance of unintended secret use or disclosure, especially when combined with later printing and caching of those credentials.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script scans multiple local directories and reads candidate files to discover an auth helper, then executes the discovered file. This broad local discovery creates a script-hijacking opportunity: a malicious or replaced minri_dmp_api.py in a searched path could be executed with access to RTQ credentials and order data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The cache helper writes full order parameters to disk, and later the caller supplies rtqCluster and rtqAccessKey in that cached object. Storing live access credentials in a predictable local file under the user's home/workspace materially increases the risk of credential theft, lateral movement, and unauthorized API use.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script stores and reuses order state in a local cache under ~/workspace/.order_cache, expanding its data-handling behavior beyond the advertised API-only workflow. Because the merged cache can later feed API modifications and may include sensitive fields such as access credentials, this creates an unnecessary persistence surface and increases the chance of local data exposure or unintended order changes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script scans multiple user-controlled skill directories and selects a Python file to execute based partly on filename and a loose content check. An attacker who can place or modify files in those locations could cause this skill to run a malicious helper script with inherited privileges and access to RTQ credentials.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The create-order trigger uses broad keywords such as '投放', '订单', and 'RTQ', which can overlap with ordinary conversation and cause unintended activation of an operational workflow. In a skill that can collect credentials, install dependencies, and create advertising orders, misrouting intent increases the risk of accidental sensitive actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The request-type classifier relies on simple single-keyword matching without boundary conditions or exclusions. This can misclassify benign queries as create/modify operations and funnel users into workflows that request secrets or prepare side-effecting actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script prints the full request parameters, which include rtqCluster and rtqAccessKey, and also persists those credentials in the local order cache. This exposes secrets through console logs, agent transcripts, and local files, making credential compromise likely in shared or monitored environments.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The cache-saving logic writes the full merged order parameters to disk, and in cached flows those parameters can include rtqAccessKey and rtqCluster copied from earlier state. Persisting credential-bearing data in plaintext without warning or access controls materially increases the risk of secret theft, lateral movement, and unauthorized ad-order modification by anyone with local file access.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly asks users to provide API and RTQ credentials, then save them to a local file for reuse. Persisting long-lived secrets in local plaintext-like storage materially raises the risk of credential theft, lateral misuse, and unauthorized API access if the host, logs, backups, or other local tooling are compromised.

Ssd 3

Medium
Confidence
91% confidence
Finding
The task logger is described as storing complete order parameters and historical records, which can include sensitive targeting criteria, audience IDs/names, schedules, and operational metadata. Retaining this information locally expands the privacy footprint and creates a secondary repository of potentially commercially sensitive or regulated marketing data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal