ClawHub

Zhihu Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its advertised Zhihu hot-topic draft workflow, but users should treat the required cookie and API keys as sensitive account credentials.

Install only if you are comfortable giving this skill a Zhihu session cookie and an AI API key. Use a low-risk account if possible, avoid exposing secrets in shell history or logs, expect generated drafts and queue data to remain in the skill workspace, and consider installing dependencies in an isolated Python environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation advertises capabilities that require access to environment variables, local files, networking, and likely shell execution, yet it declares no permissions. This creates a transparency and consent problem: users and the host platform cannot accurately assess or restrict what the skill may access, which is especially risky because it processes sensitive credentials such as Zhihu cookies and API keys.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to copy their full authenticated Zhihu Cookie directly from browser developer tools, which is highly sensitive session material equivalent to account access. Without a prominent warning at the collection point and guidance to minimize scope, users may unknowingly expose credentials that can be reused to impersonate them or access private account data if logged, stored, or leaked.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code sends question_title, question_detail, and excerpt to a third-party LLM API without any consent, warning, redaction, or data-classification check. If users place sensitive or proprietary content into the question fields, that data is silently transmitted off-system, creating a privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal