ClawHub

zhongjie

Security checks across malware telemetry and agentic risk

Overview

This home-buying helper is coherent, but its local dashboard and search tools handle sensitive notes, map keys, and web content in under-secured ways.

Install only if you are comfortable running a localhost dashboard that stores buyer notes on disk and exposes them while active. Keep it bound to localhost, do not store highly sensitive financial or family details until authentication and CORS are fixed, avoid sharing customer-owned API secrets in chat, restrict or rotate any AMap key, and treat fetched WeChat/markdown content as untrusted until markdown sanitization and TLS verification are corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The app constructs a Markdown renderer with `html: !0` and then injects rendered output into the DOM using `innerHTML` for backend-provided and user-edited content. This creates a direct XSS sink: attacker-controlled markdown/HTML stored in profile, research, or report fields can execute script in the user's browser, steal data, or perform actions as the user.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document explicitly instructs the operator to have the customer provide third-party AMap API credentials and to store them in a local `.env` file managed by the skill. For a real-estate advisory skill, collecting customer-owned API secrets is not necessary to fulfill the core business purpose and creates avoidable credential-handling risk, including misuse, leakage, and unclear ownership or consent boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script adds a WeChat article search and scraping capability that is unrelated to the stated real-estate advisory skill. In a skill package, unexplained out-of-scope collection/scraping code increases risk because it expands what the agent can do, creates unexpected data flows, and may be repurposed to gather arbitrary external content without user awareness.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code includes deliberate anti-automation evasion such as hiding navigator.webdriver, spoofing plugins/language/platform, and launching Chromium with automation-disabling flags. These are classic stealth-scraping techniques that bypass site defenses and are especially suspicious because they are unnecessary for a normal home-buying assistant.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The global SSL context disables hostname verification and certificate validation for all HTTPS requests. This exposes the scraper to man-in-the-middle attacks, allowing an attacker on the network path to tamper with responses, inject malicious content, or redirect subsequent processing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Markdown is configured to allow embedded HTML and no warning or restriction is visible before that content is rendered. In this context, the lack of disclosure is secondary; the real security issue is that script-capable HTML can be persisted and rendered, enabling stored XSS against users viewing advisory content.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The rendered markdown is inserted into the DOM through `innerHTML` in multiple views, making it a concrete execution sink for any malicious HTML payloads. Because the content is editable and fetched from backend endpoints, this supports persistent cross-user compromise if one actor can influence stored content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions normalize collecting and storing sensitive API credentials in `.skills-data/zhongjie/.env` without any warning about secret handling, access controls, redaction, retention, or avoiding exposure in logs and support workflows. Because the skill context is customer-facing and not infrastructure-focused, this makes the behavior more dangerous: operators may treat customer secrets casually and persist them in insecure local storage.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Spoofing browser language to Chinese is not inherently dangerous alone, but here it is part of a broader stealth profile used to disguise automation. In that context it contributes to deceptive evasion behavior, helping the scraper impersonate a local human browser and bypass site checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /api/config endpoint exposes values loaded from .skills-data/zhongjie/.env to any caller, and CORS is configured with allow_origins=['*'], making cross-origin retrieval trivial from a browser. Even if intended for frontend bootstrapping, configuration values often include API keys or security tokens, and exposing them broadly increases the chance of credential misuse or third-party quota abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal