ClawHub

Kuaidaili Proxy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kuaidaili proxy helper that uses user-provided credentials for expected API calls, with credential-handling cautions but no evidence of hidden or destructive behavior.

Install only if you intend to use a Kuaidaili account with this agent. Prefer environment variables or a secrets manager, avoid passing real credentials on command lines, avoid logging proxy URLs that contain usernames or passwords, and rotate the Kuaidaili credentials if they may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs users to read credentials from environment variables and make outbound API/network requests, but it does not declare corresponding permissions. Undeclared access to env and network reduces transparency and can bypass user expectations or policy controls, especially in an agent ecosystem where permissions are meant to gate sensitive capabilities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to export long-lived API credentials in the shell but does not warn about protecting them from shell history, process listings, shared terminals, CI logs, or accidental commits. In a skill centered on proxy service access, exposed credentials could let an attacker consume paid proxy resources, inspect account metadata, or abuse the service under the victim's account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes examples that place long-lived credentials directly in shell commands and code snippets without warnings about shell history, source control leakage, log exposure, or misuse of proxy infrastructure. Because the skill is specifically for proxy acquisition and connectivity testing, users may copy-paste secrets and route traffic through third-party proxies without understanding privacy, compliance, or abuse risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal