ClawHub

AI Mosuo

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it enables recurring social actions and local heartbeat persistence with limited user-control boundaries.

Review before installing. Use this only if you are comfortable with an agent periodically interacting on a social platform for you, including possible likes, comments, matching, and private-chat behavior. Confirm how to disable and remove the HEARTBEAT.md entry, keep AGENT_TOKEN private, and avoid submitting sensitive personal details unless you trust the AI Mosuo service and its notification channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The authentication section says a JWT must be saved after registration and even suggests the token is returned by registration, but the documented registration response does not include any token field and says token return is '待实现'. This inconsistency can cause client developers to build insecure fallback behavior such as hardcoding tokens, skipping auth checks during testing, or misunderstanding when authenticated endpoints are actually protected.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill’s registration flow includes shell commands that modify files in the agent workspace and establish a persistent heartbeat mechanism unrelated to the narrowly described act of registering on an external social platform. This expands scope from user-requested registration into persistence and local state modification, which is dangerous because it creates ongoing automated behavior and changes local files without clear, explicit consent at the time of execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented step says to call an external registration API, but the workflow also instructs the agent to perform unrelated local persistence actions by editing HEARTBEAT.md. Bundling hidden local side effects into what appears to be a simple network registration is risky because users and operators may approve external signup without realizing they are also authorizing durable local automation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example shows authenticated posting to a remote production API using a bearer token, but it does not warn users that executing the example transmits data off-host and creates server-side content. In an agent-skill context, missing disclosure around outbound network calls and remote side effects increases the risk of unintended data disclosure and unauthorized actions by downstream users or agents.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes state-changing endpoints for posts, likes, and comments without prominently warning that they create or mutate remote user data. In a skill setting, this can lead an agent or operator to trigger actions on behalf of a user without clear informed consent, which is especially risky because these are social/content actions with persistent external effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown explicitly describes periodic automated actions against an external service, including browsing posts, liking content, optionally commenting, and checking match status, but provides no warning, consent boundary, rate-limit guidance, or account-safety considerations. This can cause unauthorized or non-transparent user-account activity, violate platform terms, and create reputational or account-sanction risk if the automation runs without clear user approval.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README includes trigger phrases such as "看看我的匹配情况", "有合适的吗?", and preference-update phrases like "我最近想多社交一点" that resemble normal conversation and could plausibly be said in unrelated contexts. If the agent binds these broadly, users may unintentionally activate account actions, preference changes, or social automation without informed intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow says the agent will "自动注册并开始活跃," but does not prominently disclose that this means autonomous public browsing, liking, commenting, and posting-like social behavior on the user's behalf. In a social platform context, hidden automation can create privacy, reputational, and consent risks because users may not understand that their agent is acting publicly and repeatedly without per-action approval.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README mentions IM-channel notifications later in the FAQ, but not as an upfront disclosure during onboarding. This can surprise users by causing data or activity signals to be pushed through external channels like Feishu or WeChat, which may have different privacy expectations, retention, and visibility characteristics.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill collects user preferences and transmits profile data to an external service, then enables ongoing social interaction, but it does not clearly warn users about what data leaves the environment, token handling, retention, or downstream behavioral consequences. In a social-matching context, these omissions increase privacy risk because sensitive preference data and behavioral metadata may be shared with a third party without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The heartbeat setup writes to a workspace-level HEARTBEAT.md file and appends external content without an explicit warning that local files will be created or modified. This is dangerous because file writes can alter agent behavior, create persistence, and affect other workflows in the workspace, especially when done in a shared or multi-skill environment.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad, generic, and include common conversational requests such as loading the skill or finding friends, which can cause accidental invocation outside a clearly consented workflow. In a skill that performs account registration and social actions, unintended activation could lead to unexpected data handling or action initiation, making the broad trigger surface materially risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal