ClawHub

UTF-8发布基础设施

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed multi-platform publishing utility, but it ships real-looking embedded third-party credentials and has weak controls around posting and retaining content.

Review before installing. Do not run npm run integration-test unless you have removed the embedded Discord webhook and GitHub token. Use throwaway, least-privilege credentials, avoid passing secrets on the command line, expect content to be sent to external services when publishing commands are used, and check for backup-*.md files if publishing fails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation expands an encoding helper into a generalized multi-platform publishing mechanism for Discord, GitHub, and future channels. That broad outbound capability is not necessary for UTF-8 handling and increases the attack surface by normalizing content transmission to external services under a benign infrastructure label. In agent workflows, this can cause sensitive content to be published externally when a user only intended local encoding correction.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Claiming system-level middleware integration and automatic batch publishing broadens the skill from a utility into an orchestration layer that can act across multiple targets with minimal user visibility. This is risky because automatic middleware patterns can make data egress implicit and harder to audit, especially when paired with retries and fallback behavior. The context increases danger because 'infrastructure' framing encourages always-on adoption.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The skill is presented as a UTF-8 encoding/validation tool, but its documented interface includes direct outbound publishing to Discord, GitHub, and Reddit. This expands the capability from local text processing into credentialed network actions, creating a mismatch that can surprise users and increase the risk of unintended data exfiltration or misuse.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
Reddit posting is unrelated to the stated UTF-8 infrastructure purpose and introduces unnecessary remote-posting functionality using multiple sensitive credentials. Unjustified capability creep increases the attack surface and enables the tool to transmit user content to third-party services under the guise of a local encoding utility.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The CLI consumes multiple third-party secrets from environment variables for actions beyond text encoding, including posting to external services. While reading env vars is common, doing so in a tool advertised for UTF-8 handling broadens trust assumptions and can lead users to expose credentials to a tool whose true scope is unclear.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The top-level documentation frames the CLI as an encoding tool, but the command set includes full external publishing operations. This misleading presentation can cause users to run the tool with local files or secrets without realizing it can perform network transmissions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module is presented as UTF-8 encoding infrastructure, but it contains active outbound publishing functions for Discord, GitHub, and Reddit. That mismatch is security-relevant because an agent or user may grant the skill broader trust than intended, leading to unauthorized exfiltration of content to third-party services and creation of remote artifacts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill handles GitHub tokens, Reddit client secrets, Reddit passwords, and webhook URLs to publish content to external platforms, which is far beyond a narrow text-encoding purpose. In an agent setting, this creates a strong risk of credential misuse and unintended data disclosure because the capability surface is hidden behind an innocuous infrastructure label.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
On GitHub publishing failure, the code silently writes the content to a local backup file. This creates an unintended persistence side effect that may store sensitive user data on disk, potentially exposing it to other local users, later processes, backups, or source-control inclusion.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes automatic local backup of content without a clear warning that user data may be written to disk. Silent persistence can expose sensitive material through local compromise, backups, sync services, shared machines, or unexpected retention, especially if users assume the tool only transforms text in memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples normalize sending content and credentials to Discord and GitHub but do not provide a prominent privacy or security warning in the skill description. This is dangerous because users may paste sensitive content or tokens into a workflow that performs external transmission, underestimating the confidentiality and account-risk implications. In the context of an agent skill, omission of such warnings materially increases the chance of inadvertent secret leakage or unauthorized publication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI prints part of the Discord webhook URL to the console during testing. Webhook URLs are effectively secrets, and even partial disclosure can leak identifying material into terminal history, logs, screenshots, or CI output, increasing the chance of credential compromise.

Missing User Warnings

High
Confidence
98% confidence
Finding
The GitHub token is partially logged during gist creation, directly exposing credential material in console output. Any token leakage into shell history, CI logs, monitoring systems, or shared terminals can enable unauthorized API access depending on token scope.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Reddit command collects several credentials and performs a live remote post without an explicit warning or confirmation step. In a tool marketed around UTF-8 processing, users may not expect immediate transmission of content and credentials to a third-party platform, increasing the risk of accidental posting or data leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The infrastructure publish flow reads local file content and uploads it to external platforms based on environment variables, without a strong warning or explicit confirmation. This creates a real risk of unintentionally exfiltrating sensitive local content when users believe they are only invoking encoding-related infrastructure behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The publish command logs portions of the Discord webhook and GitHub token while preparing external uploads. Exposing fragments of secrets in logs materially increases credential leakage risk, especially in shared environments, CI pipelines, support bundles, or recorded terminal sessions.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The file contains hardcoded fallback credentials for both a Discord webhook and a GitHub personal access token. Embedded secrets in source code are a direct credential exposure: anyone with access to the file can reuse them to post to Discord, create or modify gists, and potentially pivot into broader account compromise depending on token scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code performs real network transmission to third-party services during testing, sending test content and timestamps externally with only minimal console notice. In an agent skill context, undisclosed outbound transmission is dangerous because it can leak user data, operational metadata, or credentials if test payloads are later expanded or reused with real content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The network functions transmit user-provided content and credentials to external services without any built-in confirmation gate, consent prompt, or policy check. In an agent context, routine status logs are insufficient because the caller may not realize that invoking an encoding utility can send data off-host and consume secrets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The fallback logic writes user content to a local file without an explicit warning or prior approval. Unexpected local persistence can violate data-handling expectations and leak sensitive material into the filesystem, backups, monitoring tools, or version-control workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Reddit failure path also silently persists content to disk, creating the same confidentiality and data-retention risk as the GitHub fallback. Because this occurs after a failed external post, users may not even know their content has been stored locally.

VirusTotal

No VirusTotal findings

View on VirusTotal