ClawHub

Tianji

Security checks across malware telemetry and agentic risk

Overview

The skill is read-only, but it can expose sensitive Tianji workspace data such as survey respondent details, member information, webhook signatures, audit records, and worker source code.

Install only if you are comfortable giving an agent broad read-only access to the Tianji workspace tied to the API key. Use the narrowest read-only key available, avoid broad or generic prompts, and be especially careful with worker code, raw survey responses, member lists, audit logs, billing data, feed channel configuration, and AI gateway settings. Check outputs for secrets or personal data before sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The OpenAPI file materially exceeds the skill’s stated purpose of querying Tianji analytics and uptime data by exposing administrative and code-inspection surfaces such as audit logs, worker code/revisions, workspace membership, and global configuration. Even though the spec is GET-only, these endpoints can disclose sensitive operational data, internal code, identities, and secrets-adjacent metadata that are unnecessary for the declared use case, creating an over-privileged data exposure risk.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The worker endpoints return full function-worker source code and revision history, which can expose proprietary logic, embedded secrets, internal URLs, tokens, or exploitable implementation details. In the context of an analytics/query skill, source-code retrieval is unjustified and dramatically increases the blast radius of any authorized use or prompt-driven data exfiltration.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Audit logs are administrative data and can reveal sensitive operational history, object identifiers, workflow changes, and security-relevant events that help an attacker map the environment or reconstruct privileged activity. This is outside the described analytics scope, so bundling it into a broad read-only skill meaningfully widens exposure without clear user justification.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Global config and workspace member endpoints expose administrative and identity information beyond analytics needs, including member emails and system configuration details that can aid reconnaissance and targeted abuse. The skill context makes this more dangerous because users would reasonably expect traffic and uptime queries, not broad tenant and system introspection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough to activate the skill for generic analytics, monitoring, billing, or telemetry questions that may not be explicitly about Tianji. That can cause unintended tool use against a sensitive internal data source, increasing the chance of over-broad data access and disclosure of workspace metadata, billing details, audit information, or other tenant-specific information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The survey result endpoints return highly sensitive respondent data including free-form payloads, session IDs, IP addresses, browser/OS/language, and geolocation fields, but the skill description does not warn users that personal or quasi-identifying data may be exposed. In an agent setting, this creates a significant privacy and compliance risk because a benign analytics request could retrieve respondent PII unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Feed channel responses expose webhookSignature values, which are effectively integration secrets used to authenticate inbound events. Publishing these through a general read-only skill without strong warning or redaction enables credential disclosure and potential spoofing of trusted feed events if the token is reused for verification.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The worker endpoints expose full source code in a broadly described read-only analytics skill and provide no warning that proprietary or secret-bearing code may be returned. Source retrieval can leak business logic, credentials, internal APIs, and exploitable weaknesses, making this especially dangerous in an LLM-mediated environment prone to over-broad data access.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains several generic terms such as "telemetry," "uptime," and "pageview" that can match ordinary user requests outside the intended Tianji context. This can cause unintended skill activation and unnecessary access to configured analytics data, especially because the skill has network permission and authenticated access to a read-only API.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal