ClawHub

idea to product mvp

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it silently stores user profile details and uses risky authenticated web automation that deserves review before installation.

Install only if you are comfortable reviewing and controlling its local memory, browser automation, and email behavior. Before use, disable or avoid XiaoHongShu automation unless you accept account risk, delete cached browser data when finished, treat .skills-data/idea2mvp as sensitive, and do not let it store profile details or email reports/attachments without explicit review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (14)

Tainted flow: 'ENV_FILE' from os.environ.get (line 41, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
ensure_dirs()
    if os.path.exists(ENV_FILE):
        return
    with open(ENV_FILE, "w", encoding="utf-8") as f:
        f.write(ENV_TEMPLATE)
    print(
        f"📝 已创建配置文件:{ENV_FILE}\n"
Confidence
83% confidence
Finding
with open(ENV_FILE, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill clearly instructs the agent to read environment configuration, read and write local files under `.skills-data/idea2mvp/`, perform network searches across multiple sites, and send email, yet it does not declare any permissions. This creates a transparency and policy-enforcement gap: users and host systems may not realize the breadth of data access and outbound communication the skill expects, increasing the chance of over-privileged execution and unintended data exposure.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The XiaoHongShu guidance explicitly recommends Playwright browser automation with anti-bot evasion tactics such as random delays, mouse movement, and gradual scrolling to mimic humans. That exceeds ordinary research assistance and facilitates stealthy scraping of a third-party platform, creating legal, account-safety, and abuse risks; the surrounding text even acknowledges possible account bans, which reinforces that the workflow is intentionally bypassing platform defenses.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code globally disables TLS certificate validation and hostname verification for all HTTPS requests by setting check_hostname=False and verify_mode=ssl.CERT_NONE. This allows a man-in-the-middle attacker to intercept or tamper with responses from Sogou/WeChat endpoints, causing the tool to ingest attacker-controlled content or redirect to malicious URLs; in a research automation skill that collects external data, this meaningfully undermines integrity and confidentiality.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script deliberately injects stealth logic to hide browser automation by spoofing webdriver, plugins, languages, platform, Chrome APIs, permissions, WebGL, and window properties. This goes beyond ordinary automation and is designed to evade bot-detection and fingerprinting controls, which can violate platform protections and make the skill usable for covert scraping or account-risking activity.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes broad phrases like 'send email', 'market research', and 'build MVP', which can match ordinary user requests and invoke a skill that performs file persistence, web research, browser automation, and email workflows. Over-broad invocation increases the risk of the skill activating in contexts where the user did not intend cross-site searching, profile storage, or email-capable behavior.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs the agent to create and maintain a persistent user profile file containing technical background, industry experience, preferences, and other inferred personal attributes, but it does not require clear prior notice and affirmative consent. Persisting profile data across sessions without explicit permission can lead to privacy violations, sensitive inference storage, and misuse beyond the user's immediate request.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instruction explicitly says new user background information should be appended without needing to ask the user for consent. This is a direct privacy issue because it authorizes silent accumulation of personal and preference data from conversation content into persistent storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance encourages emailing arbitrary text, reports, and attachments externally, but it does not require a confirmation step or warn about transmitting secrets, personal data, proprietary research, or local files outside the system boundary. In an agent skill that aggregates market research and can read cached/generated files, this increases the risk of accidental data exfiltration when a user requests email delivery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to enumerate and read prior idea-brief files from a local project data directory, then reuse user preferences, experience, and concerns as context. That creates a privacy and consent risk because stored personal or sensitive business information may be accessed implicitly, without a fresh user prompt, visibility, or scope limitation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to use web_search and agent-browser for real-time research, while the task inherently involves user-supplied product ideas, business plans, and concerns. Without a warning or consent checkpoint, confidential idea details may be transmitted to external services or embedded into search queries, risking disclosure of proprietary or personal information.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs ongoing collection and persistence of user-disclosed profile information across a workflow spanning idea discovery, validation, and MVP building. Persistent cross-stage storage of user attributes without consent expands the privacy blast radius and creates unnecessary retained data that could later be exposed or reused inappropriately.

Ssd 3

Medium
Confidence
98% confidence
Finding
Repeating the instruction to keep updating a persistent user profile normalizes silent long-term data accumulation from normal conversation. Even if the data is intended for personalization, continued storage of inferred background and preferences without consent is a privacy vulnerability and may exceed user expectations.

Ssd 3

High
Confidence
99% confidence
Finding
This section explicitly authorizes maintaining a cross-stage profile and appending new personal details without user consent. Because the file can contain inferred technical skill, industry role, preferences, resources, and risk tolerance, unauthorized persistence materially increases privacy risk and could influence future decisions in ways the user never approved.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal