ClawHub
Back to skill

Security audit

my_acceptance_rate_analysis2

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised analytics workflow, but it handles browser-derived access tokens in a broad, persistent way that users should review before installing.

Install only if you trust this publisher and are comfortable giving the skill access to the DataWorks account represented by your browser cookie. Prefer a short-lived or least-privilege token, avoid shared machines, disable verbose query logging, and remove BIGDATA_ACCESS_TOKEN from shell profiles or user environment variables after use if persistence is not intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'DEFAULT_ENDPOINT' from os.getenv (line 12, credential/environment) → httpx.post (network output)

Critical
Category
Data Flow
Content
json.dumps(payload, ensure_ascii=False, indent=2),
        )

    response = httpx.post(
        endpoint or DEFAULT_ENDPOINT,
        headers={
            "Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}",
Confidence
95% confidence
Finding
response = httpx.post( endpoint or DEFAULT_ENDPOINT, headers={ "Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}", "Content-Type": "ap

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares an analytics purpose but embeds capabilities to read environment variables, persist secrets, read/write files, and call remote services without an explicit permission model. That creates hidden authority and increases the chance that an analyst-style skill can access credentials or local state beyond what a user expects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is acceptance-rate analysis, but the behavior also includes credential acquisition, persistence across sessions, and external data access. This mismatch is dangerous because users may provide or allow sensitive token handling under the mistaken belief that the skill only performs local business analysis.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to store a user-provided BIGDATA_ACCESS_TOKEN in both process and user-level environment variables, which expands exposure beyond the current task and session. Persisting reusable access tokens increases the blast radius if the host, shell profile, or subsequent sessions are compromised or inspected by other tools.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill goes beyond analysis by telling users to retrieve an access token from browser cookies and reuse it for API calls, effectively operationalizing credential extraction and reuse. Even if intended for convenience, this normalizes unsafe secret handling and can lead to token leakage, reuse outside intended scope, or policy violations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill goes beyond business analysis and implements credential discovery, loading from multiple locations, and persistence across future sessions on both Windows and Unix. That materially expands the blast radius of a single token submission: a token provided for one run becomes a long-lived local credential available to later processes and potentially other skills.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code explicitly instructs users to retrieve an auth token from browser cookies and then stores that token locally for reuse. Encouraging manual extraction of a browser session credential bypasses safer auth flows and trains users to expose sensitive session material, increasing risk of token theft, replay, and unintended privilege reuse.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comments downplay the logging as safe, but the implementation logs full query payloads and later logs raw responses and SQL to normal application logs when enabled by default. Those logs can expose sensitive business data, query structure, filters, and potentially customer or lender-specific analytics to anyone with log access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The client emits generated SQL, raw result sets, and mapped rows into logs, which exceeds what is necessary for normal acceptance-rate analysis. In a data analytics context, this can leak proprietary schema details and sensitive operational data at scale through centralized logging systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs long-lived storage of a sensitive access token without prominently warning users about persistence, host compromise risk, shared-machine exposure, or how to revoke the credential. This weakens informed consent and makes accidental credential retention more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When an explicit token is provided, the code silently persists it for future sessions after only internal logging, without a clear user-facing confirmation at the moment of action. This can leave sensitive credentials in shell profiles or the Windows user environment unexpectedly, where they may be exposed to other local processes, tooling, or users sharing the account.

External Transmission

Medium
Category
Data Exfiltration
Content
3. **当前环境变量复用**:如果用户这次没有再贴 token,但当前终端或用户级环境变量里已经有 `BIGDATA_ACCESS_TOKEN`,直接复用,不要重复向用户索取。
   - 在 Windows 上,不要只检查当前 PowerShell 会话里的 `$env:BIGDATA_ACCESS_TOKEN`;用户级环境变量也算可复用来源。
   - 不要因为一次独立的环境变量探测为空,就在脚本运行前直接判定“缺少 token”;脚本自身也会继续尝试读取用户级环境变量。
4. **浏览器 Cookie 取值**:如果上下文和环境变量都没有,再让用户打开 `https://data.jirongyunke.net/data-pc-bdopr-fe/hoc-inquiry/index`,按 `F12`,在 `Network` 里点开任意一个请求,从 `Cookies` / `Request Cookies` 中复制 `bigdata_access_token` 的值本身,不要传整段 `Cookie:` 请求头。拿到后先按上一条持久化,再执行脚本。

当前环境是 PowerShell 时,可直接复用以下方式:
- 当前会话设置:`$env:BIGDATA_ACCESS_TOKEN='<token>'`
Confidence
91% confidence
Finding
https://data.jirongyunke.net/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal