ClawHub

dmp-persona-insight

Security checks across malware telemetry and agentic risk

Overview

The skill’s analytics purpose is coherent, but it handles DMP credentials and audience data with unsafe transport and secret-handling guidance that needs review before installation.

Install only after you are comfortable giving this skill access to DMP credentials and audience-insight data. Do not paste DMP_AK or DMP_SK into chat; configure them through a secure secret or environment mechanism, rotate any exposed sample/live keys, and avoid using the bundled API client until TLS certificate verification is enabled. Use anonymized or aggregated datasets where possible and review generated marketing/persona recommendations before acting on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, yet the documentation clearly describes capabilities requiring environment-variable access, network calls to an external API, and file read/write for report and PPT generation. This is dangerous because reviewers and users may underestimate the skill's access and data-handling behavior, leading to overbroad deployment or accidental exposure of credentials and generated artifacts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose focuses on persona insight analysis, but the skill also performs external API access, credential-based authentication using AK/SK, and local artifact generation. This mismatch is security-relevant because hidden or under-disclosed network and credential use can cause users to provide secrets or permit data egress without fully informed consent, especially when analyzing potentially sensitive audience data.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The documentation explicitly instructs users to disable TLS certificate verification via curl -k and requests verify=False. This makes HTTPS connections vulnerable to man-in-the-middle interception and tampering, which is especially dangerous here because the requests carry authentication material and retrieve potentially sensitive audience-insight data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
Although the guide says environment variables are recommended, nearby examples embed concrete AK/SK values directly in code and shell snippets. Hardcoded secrets are easily copied into repositories, logs, screenshots, chat transcripts, and terminal history, creating credential leakage risk and encouraging insecure operator behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code claims to generate a strict six-step analysis process, but several steps are only hard-coded text such as '已处理互斥关系' and '已排除无区分度特征' without evidence that those operations actually occurred. In an insight/reporting skill, this can mislead downstream users into trusting methodology and recommendations that were not truly performed, creating integrity and decision-risk issues.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The detailed analysis output states that core features were screened via a strict multi-step process, but this function merely formats precomputed features and repeats methodological claims. This creates a report-integrity flaw: consumers may rely on asserted rigor that is not enforced here, which is especially risky in a marketing/persona analysis skill used for business targeting decisions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The client explicitly disables TLS certificate verification for all outbound HTTPS requests, which makes man-in-the-middle interception and response tampering feasible. Because this code sends authentication material and retrieves insight data from an external API, the disabled verification materially weakens confidentiality and integrity in transit.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list contains broad business-analysis phrases such as '生成报告', '营销策略', and '洞察分析', which can cause the skill to activate in contexts beyond the user's intent. In this skill, accidental invocation is more dangerous because activation may lead to requests for AK/SK credentials, external API use, and generation of output files, increasing the chance of unintended data handling.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown exposes concrete AK/SK credentials and demonstrates passing auth parameters directly in examples without warning about credential handling risks. Even if these are test credentials, publishing them normalizes unsafe secret usage and may expose working access if the values are live or reused elsewhere.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documentation provides HTTP examples that disable TLS verification but does not warn users about the resulting integrity and confidentiality risks. In this context, users may copy-paste the examples directly, exposing signed requests and returned insight data to interception or modification by an active network attacker.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs users to upload detailed profiling datasets containing demographic, geographic, behavioral, and consumption attributes, but it provides no warning about personal data, sensitive attributes, de-identification, legal basis, or minimum-necessary handling. In a user-profiling skill, this omission materially increases the chance that operators will submit personal or sensitive data inappropriately, creating privacy, compliance, and downstream misuse risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly instructs users to send DMP_AK and DMP_SK through natural-language chat, which creates a strong risk of credential exposure in conversation logs, UI history, model context, monitoring systems, or downstream integrations. Because these are API secrets for a data/insight platform, compromise could allow unauthorized access to user-insight tasks and related data, making the skill context materially more dangerous.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The changelog explicitly promotes 'fully automated' generation of user insights, positioning, and strategy recommendations without any warning that outputs may be inaccurate, biased, or require human review. In a skill used for marketing, user segmentation, and business decision support, this can lead users to over-trust generated recommendations and make flawed operational or commercial decisions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Requests are made with SSL verification disabled, yet the code does not present a clear runtime warning that transport security has been reduced for all API traffic. This increases the chance that operators unknowingly deploy the client in an insecure mode, exposing credentials and API responses to interception on untrusted networks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal