ClawHub

媒体广告流量市场分析

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent MediaInsight advertising analysis integration, but it creates real remote tasks and stores reusable session credentials on disk by default.

Review before installing if you will use a personal MediaInsight token. Use dry-run first, confirm the resolved payload and coin cost before creating tasks, avoid tenant switching unless you intend to act in that account context, and delete the printed session JSON files after use because they can contain reusable authentication cookies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly uses sensitive capabilities including environment-variable access, local file read/write, MCP-mediated authentication, and outbound network access, yet it declares no permissions. This weakens least-privilege controls and informed consent, making it easier for a user or platform to invoke data access, token handling, and file persistence without explicit security review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a data-analysis capability, but its documented behavior includes authentication flows, token exchange, tenant switching, remote task creation, cost-affecting operations, report downloads, archive extraction, and local session persistence. This mismatch can mislead users about the real trust boundary and side effects, increasing the risk of credential misuse, unintended billable actions, and local data exposure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The default prompt directs the agent to use a public shared demo token by default, which can cause requests, access context, and potentially user-supplied analysis parameters to be sent under a shared credential without informed consent. This creates cross-tenant privacy, misuse, and accountability risks, and the later upsell to switch to a personal token indicates credentialed access is part of the flow rather than an incidental detail.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill is framed as media ad traffic analysis, but it is configured with an MCP dependency specifically for obtaining TTC tokens, expanding capability from analysis into credential acquisition. That mismatch increases risk because the skill can initiate or mediate access-token retrieval without clearly scoping why it is necessary, enabling unnecessary privilege use or user confusion about what is being accessed.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script exposes a tenant-switching capability via --tenant-id even though the skill is described as a read-only ad traffic analysis tool. Changing tenant context broadens the accessible data scope and can enable cross-tenant data access if the caller has a token with wider privileges, increasing the chance of unintended data exposure.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The code loads credentials from an environment variable and silently falls back to a shared demo token. While reading a specific env var is common, the insecure default to a public/shared token can cause accidental use of the wrong identity and weakens accountability and access control expectations for an analytics-only skill.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill description says it analyzes ad traffic distribution and trends, but this script can actively submit and create tasks against the remote platform. That expands the capability from read-only analytics into state-changing operations that may consume quota, incur cost, or trigger unauthorized jobs if invoked with valid credentials.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Tenant switching is an account-scoped administrative action that is broader than the stated purpose of traffic analysis. If exposed through an agent skill, it can be abused to pivot across account contexts and operate on a different tenant than the user expected, increasing the blast radius of any credential misuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script persists authenticated session state to disk, including to a temporary file path when the user does not specify one. Session artifacts on disk can be recovered by other local processes, leaked through logs or artifacts, or remain behind after execution, extending the lifetime of sensitive authentication material beyond the immediate run.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Embedding a shared demo authentication token directly in the code hardcodes a usable credential into a publicly inspectable package. Anyone with access to the skill can extract and reuse the token, leading to unauthorized API access, quota abuse, reputational impact, and difficulty revoking misuse without rotating the credential.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README encourages use of a built-in public shared token and also instructs users to supply their own token for live API access, but it does not clearly warn that tokens are sensitive credentials tied to account scope, quota, and potentially accessible data. In a skill that submits real advertising-analysis jobs and downloads reports, this omission increases the risk of credential leakage, accidental token sharing in shells/logs, and unintended exposure of account-linked market data or spend/quota consumption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Using a shared demo token without warning users about privacy, retention, or data-handling implications is dangerous because users may provide business-sensitive targeting, campaign, audience, or market-analysis inputs assuming isolation. In the context of an advertising analytics skill, such inputs can be commercially sensitive, so silent use of a shared credential materially increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When no session file is supplied, the script creates a persistent temporary JSON file with delete=False and uses it to store login session state. Persisting authentication/session artifacts to disk without explicit notice or cleanup can leave reusable credentials behind for other local users, processes, or later compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client persists session cookies and the TTC token to a local JSON file in the working directory, which can expose reusable authentication material to other local users, processes, logs, backups, or accidental commits. Because these values appear sufficient to authenticate future requests, theft of the file could allow unauthorized access to MediaInsight data under the victim's session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal