ClawHub

Lemon8生活方式采集

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a read-only Lemon8 data assistant, but its instructions include automatic fallback to unrelated Douyin endpoints and weak privacy scoping for third-party API calls.

Review before installing. Use it only if you are comfortable sending Lemon8 searches, links, user IDs, post IDs, and related lookup parameters to MaxHub/aconfig.cn with your API key. The package should ideally remove the Douyin/Xiaohongshu fallback references or clearly constrain calls to /api/v1/lemon8/ before normal approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims to be Lemon8-only, but its error-handling and downgrade guidance instructs the agent to switch to unrelated Douyin and Xiaohongshu endpoints. This creates a scope-confusion vulnerability where user requests intended for one platform may be routed to different services, causing unintended third-party data disclosure and violating least-privilege expectations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest and description position this as a Lemon8 data assistant, yet the operational instructions include cross-platform API routing and downgrade logic for Douyin/Xiaohongshu families. That mismatch can cause the agent to access or transmit data outside the user-visible scope, increasing privacy, compliance, and misuse risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises extremely broad trigger examples such as “搜索,发现 / 帖子,用户 / 分享,链接”, which overlap with common conversational words. In an agent environment, overly generic invocation phrases can cause accidental skill activation, leading to unintended external API calls, data retrieval, or context switching without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send user queries and parameters to a third-party API using a sensitive API key, but it does not clearly warn users that their request content will leave the host environment. This weakens informed consent and can expose sensitive search terms, identifiers, or analysis targets to an external provider.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs use of a bearer API key and exposes endpoints for user profiles, followers, following, comments, and post metadata, but provides no guidance on secret handling, least-privilege use, or privacy/legal constraints around collecting user data. In an agent skill, this omission can lead downstream integrators to log credentials, over-collect personal data, or automate surveillance-style queries without safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal