ClawHub

my_acceptance_rate_analysis_new

Security checks across malware telemetry and agentic risk

Overview

This analytics skill matches its stated purpose, but it ships and silently uses powerful DataWorks credentials and can log sensitive query data, so it needs review before installation.

Only install this in a controlled environment after removing and rotating the embedded token, requiring an explicit least-privilege credential, pinning or allowlisting the DataWorks endpoint, and disabling or redacting debug logs by default. Treat outputs and generated log files as sensitive business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tainted flow: 'DEFAULT_ENDPOINT' from os.getenv (line 12, credential/environment) → httpx.post (network output)

Critical
Category
Data Flow
Content
json.dumps(payload, ensure_ascii=False, indent=2),
        )

    response = httpx.post(
        endpoint or DEFAULT_ENDPOINT,
        headers={
            "Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}",
Confidence
94% confidence
Finding
response = httpx.post( endpoint or DEFAULT_ENDPOINT, headers={ "Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}", "Content-Type": "ap

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to run local Python scripts and implicitly relies on filesystem access, environment access, and potentially network-backed data retrieval, yet it declares no permissions. This creates a trust and containment gap: an orchestrator or reviewer may treat the skill as low-privilege while it can actually read local data, consume secrets from the environment, or reach external/internal services through the script.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script automatically harvests access tokens from multiple environment variables and from a user home directory file (~/.openclaw/.env), even when the caller did not explicitly supply a token. In an agent skill context, this expands the trust boundary and can silently appropriate credentials available on the host, which is dangerous because the skill’s stated purpose is analytics, not credential discovery.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes persistent debug logs to a local file and later logs full analysis traces, which can include query payloads, filters, errors, and derived business data. In a shared runner or multi-tenant environment, local log files can become an unintended data sink that exposes sensitive operational or customer-related information beyond the immediate task.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file embeds a default bearer-equivalent access token in source code, which is a direct secret exposure. Anyone with code access can reuse the credential to query the remote DataWorks service, and the token is also automatically transmitted in requests, increasing the chance of unauthorized access and downstream data leakage. The skill’s business purpose does not justify shipping a live credential in code.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code logs full request payloads plus raw response data, including SQL, dimensions, and returned rows from the metrics backend. These logs can expose sensitive business data and query context to log sinks, operators, or other systems not authorized for the underlying dataset. In an analytics skill, some observability is reasonable, but default-on verbose logging of raw backend data exceeds that need.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently sources credentials from the environment and a local .env file without any user-facing disclosure, which means an operator may trigger privileged external access without realizing the skill is using host-resident secrets. In agent environments, undisclosed secret sourcing is especially risky because the user may expect a pure analysis tool, not one that consumes ambient credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The helper performs authenticated network queries to an external data service using the resolved access token, but the skill does not provide a user-facing disclosure that it will transmit queries and potentially sensitive business filters/data off-process. This is dangerous because users may unknowingly authorize external data access and transmission simply by invoking an analysis skill.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Using a hardcoded default access token for authenticated requests means the skill can silently operate with privileged backend access even when no secret is explicitly supplied by the deployer. This creates hidden trust and unauthorized data access risk, especially if the token remains valid across environments. The lack of user-facing warning is secondary; the core issue is embedded secret-based authentication.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal