ClawHub

知乎数据获取 | Zhihu Data Fetcher

Security checks across malware telemetry and agentic risk

Overview

This Zhihu data-fetching skill has a real use case, but it ships session-cookie-like values and includes probing tools that require careful review before use.

Review before installing. Remove the bundled cookie values, avoid running the anti-crawl and diagnostic scripts, do not paste personal Zhihu session cookies into this package unless you accept account-risk exposure, and prefer unauthenticated fallback data or an isolated browser session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The configuration file contains hard-coded Zhihu session cookies and anti-CSRF-related tokens, which are authentication secrets that can grant account-bound access if still valid. Embedding them in a skill package creates direct credential exposure risk, enables unauthorized use of a Zhihu account, and normalizes insecure credential handling beyond the skill’s stated minimalist fetching purpose.

Intent-Code Divergence

Low
Confidence
98% confidence
Finding
The function is described as merely fetching data with a file cookie, but it also logs a prefix of the authentication cookie to the console. Even partial session token disclosure can leak sensitive credential material into logs, terminals, CI output, or support bundles, increasing the chance of account/session compromise.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script is explicitly framed as an anti-crawl research tool and includes functionality beyond normal data retrieval, such as testing request-header combinations and analyzing anti-bot behavior. In the context of a Zhihu data fetcher skill, this materially expands the capability from fetching data to studying and adapting around platform defenses, which increases abuse potential and deviates from the declared purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This block enumerates multiple browser-like header profiles, including Referer, Origin, Sec-Fetch-* headers, and X-Requested-With, specifically to test what header combinations help requests succeed. That is effectively probing and tuning requests to evade anti-bot controls, which can facilitate unauthorized scraping or account misuse when combined with stored cookies.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The rate-limit test intentionally sends repeated requests to observe threshold behavior, which is a classic reconnaissance step for service abuse and anti-automation bypass. A normal data-fetching skill does not need to discover how many requests can be sent before throttling, and doing so can burden the target service or help optimize scraping campaigns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to copy live Zhihu session cookies, including sensitive authentication values, into a local config file. This creates a high risk of credential leakage through local file exposure, backups, logs, screenshots, accidental commits, or reuse by other processes, effectively enabling account hijacking if the cookie file is disclosed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script explicitly reads authentication-related cookies such as _xsrf, d_c0, and SESSIONID and also collects browser fingerprinting attributes including user agent, screen properties, timezone, language, platform, and selected window keys. Even though it only logs them locally, this is sensitive session and device information collection without any consent prompt, minimization, or masking, and it normalizes anti-bot reconnaissance that could aid account/session abuse if reused or copied into less trusted contexts.

Missing User Warnings

High
Confidence
99% confidence
Finding
Authentication cookies are printed to the console immediately before use in a network request, exposing sensitive session data to anyone with access to terminal history, logs, CI artifacts, or centralized logging systems. In this skill's context, the cookies appear to grant access to a logged-in Zhihu session, so disclosure could enable unauthorized reuse of the victim's authenticated session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script loads saved authentication cookies from local configuration and automatically sends them to Zhihu without an explicit runtime warning, consent check, or scope limitation. This creates credential-handling risk: the tool may act with the user's authenticated session during anti-crawl probing, potentially exposing the account to lockouts, abuse attribution, or unintended authenticated actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly prompts the user to extract live Zhihu authentication cookies from their browser and persists them in a JSON config file on disk. These cookies are sensitive bearer-style credentials; if the file is read by other local users, synced to cloud storage, accidentally committed to source control, or exposed through logs/backups, an attacker could reuse them to access the user's Zhihu session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads authentication cookies from a local config file and sends them in an outbound request to Zhihu. Although the destination is the intended first-party service over HTTPS, this still transmits credential material without any user warning, consent prompt, scoping check, or safeguards against accidental use of real session tokens in a test script. In this skill's context, the risk is increased because the design explicitly promotes file-cookie fallback authentication, making credential handling a core path rather than an edge case.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code automatically attaches locally stored Zhihu authentication cookies to an outbound HTTPS request, with no consent prompt, warning, or scope limitation. In an agent/skill context, silently transmitting session cookies to a remote service can expose a user's authenticated identity and enable access to account-scoped data, especially because the skill is explicitly designed around auth fallback and reliable data retrieval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads persisted Zhihu authentication material from local configuration and sends it as both Cookie and Authorization headers to a remote service. That is a real credential-transmission risk because these secrets can authenticate as the user, and the script does not provide explicit consent, redaction, or safeguards before use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This second request path reuses the same stored cookies and bearer token for additional authenticated calls to hot-list endpoints, expanding credential exposure and account activity performed on behalf of the user. Repeated automatic use of local auth state without clear disclosure increases the chance of unintended account access and data disclosure.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal