ClawHub

福利吧

Security checks across malware telemetry and agentic risk

Overview

This is a real forum scraper, but it needs review because it uses and can persist a login cookie while following redirects and performing account check-ins.

Install only if you are comfortable giving this skill access to a 福利吧 forum session cookie. Use a throwaway or low-privilege forum account, do not let the agent display cookie.txt contents, restrict cookie file permissions, avoid the checkin command unless you intend an account action, and prefer patching the code to enforce a www.wnflb2023.com origin allowlist before any cookie is sent or persisted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares only Bash and node tools, but its documented behavior clearly requires outbound network access to scrape a forum and perform check-in actions. Undeclared network capability reduces transparency and weakens policy enforcement because users and reviewers cannot accurately assess what external interactions the skill will perform.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is content scraping and summarization, but the documentation also includes login-state handling, cookie file use, redirect/decryption handling, and an independent forum check-in feature. This mismatch is dangerous because it conceals additional authenticated actions and data handling beyond the user's reasonable expectation, increasing the chance of unauthorized account activity or session misuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest describes only scraping and summarizing posts, yet the document adds a separate forum check-in function. Introducing an undisclosed state-changing capability creates a trust and consent gap, especially because check-in acts on behalf of a logged-in user rather than merely reading public content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A forum check-in capability is not proportionate to the stated purpose of fetching and summarizing forum posts. Because check-in performs an authenticated account action, it expands the skill from passive retrieval into active account manipulation, which materially increases risk if invoked unexpectedly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code implements a full authenticated forum check-in workflow, including formhash extraction and submission to the forum's check-in endpoint, which goes beyond the declared purpose of scraping and summarizing posts. Because it uses the user's forum cookie to perform an account action, the skill can modify user account state without that behavior being justified by its stated functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code performs an authenticated sign-in request against the forum using the user's cookie and a derived formhash, causing a real state-changing action on the user's account. In the context of a content-scraping skill, this is dangerous because it silently expands scope from read-only access to write-like behavior, enabling unauthorized or unexpected interaction with a third-party service.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The CLI usage text advertises forum check-in support, confirming that the undocumented account-modifying capability is intentionally exposed to users even though the skill metadata describes scraping and summarization only. This mismatch increases the risk of deceptive or unsafe use because operators may run state-changing commands under the assumption that the skill is read-only.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The package exposes a `checkin` script that is not disclosed in the skill description, which claims only forum scraping, thread extraction, and summarization. Undocumented operational paths are risky because they can trigger additional network actions or account interactions outside user expectations, especially in a scraping-oriented skill where a check-in function may perform authenticated state-changing requests.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation condition is broad and can trigger on vague requests about forum content without clearly distinguishing read-only summaries from authenticated actions like check-in. Loose invocation boundaries are risky because they can cause the skill to run in contexts where the user did not intend cookie use, scraping, or account-affecting operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs reading a local cookie.txt file containing authentication/session data without a user-facing warning or explicit consent flow. Session cookies are sensitive credentials; exposing or mishandling them can enable account takeover, unauthorized forum actions, or reuse of the user's authenticated session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function executes attacker-controlled JavaScript using Node's vm module after only stripping <script> tags, which does not make the content safe. Even though a custom context is used and a timeout is set, vm is not a security boundary in Node.js, so untrusted code may be able to escape the sandbox, consume CPU, or manipulate execution in unexpected ways.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the model to extract and display cloud-storage links and passwords from scraped forum posts. Even if those details are present in source content, re-surfacing them in summarized output can facilitate unauthorized distribution of access credentials, piracy, or sharing of restricted content at scale.

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "cheerio": "^1.1.2",
    "undici": "^7.15.0"
  }
}
Confidence
98% confidence
Finding
"undici": "^7.15.0"

Known Vulnerable Dependency: undici==7.15.0 — 6 advisory(ies): CVE-2026-1525 (Undici has an HTTP Request/Response Smuggling issue); CVE-2026-1527 (Undici has CRLF Injection in undici via `upgrade` option); CVE-2026-1528 (Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clien) +3 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
undici==7.15.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal