ClawHub
Back to skill

Security audit

RSS个性化追踪摘要

Security checks across malware telemetry and agentic risk

Overview

This skill matches its RSS click-tracking purpose, but it publishes an unauthenticated tracking and log-management service to the internet.

Install only if you intentionally want a public click-tracking redirect service. Before use, remove or protect /clicks, /newclicks, and /clear, make the public tunnel opt-in, re-enable SSH host-key verification, restrict redirects to trusted RSS URLs, and minimize or regularly delete raw IP and URL logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill automatically spawns an SSH reverse tunnel to expose the local HTTP service on the public internet, which substantially enlarges attack surface without authentication or clear necessity. In this file's context, the tunnel directly publishes endpoints that reveal and mutate logs, making otherwise local functionality remotely reachable by arbitrary parties.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The /clicks, /clear, and /newclicks endpoints are exposed without any authentication, allowing anyone who can reach the server or tunnel to read sensitive click logs or erase them. Because the same file intentionally creates public internet exposure, these endpoints are more dangerous than a purely local admin interface.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script silently exposes a local service to the public internet by creating a reverse SSH tunnel to serveo.net, despite presenting itself as a simple local one-click startup flow. It also persists the externally reachable URL into a configuration file, which changes application behavior beyond the current session and can unintentionally publish internal data or functionality to untrusted parties.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill is explicitly designed to add click-tracking redirect links and log user interactions, including IP and target URL, but it does not present a clear warning or consent flow to affected users. This creates a privacy and compliance risk because users may be monitored without informed consent, and the collected data can reveal browsing interests and behavior.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions expose a localhost service to the public internet via an SSH reverse tunnel with no authentication, rate limiting, or safety guidance. Publishing a local redirect/logging service externally increases the attack surface and can allow unauthorized access, abuse of endpoints, log pollution, and unintended exposure of internal tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The server logs client IP addresses together with decoded destination URLs to disk, creating a persistent record of user activity that may contain sensitive or identifying information. In the context of an RSS click redirector exposed via a public tunnel, this enables silent tracking of who clicked which links without notice or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /clear endpoint performs a destructive action with no authentication, confirmation, or method restriction, so any reachable client can erase audit data instantly. This is especially risky because the server is intentionally exposed through a reverse tunnel, enabling remote tampering with operational records.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Spawning an SSH tunnel subprocess without clear disclosure or user approval creates covert outbound connectivity and exposes local services externally. The use of StrictHostKeyChecking=no further weakens trust in the remote endpoint and increases the risk of interception or unintended exposure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This script opens a public SSH reverse tunnel with StrictHostKeyChecking disabled and no user confirmation, then rewrites configuration to use the public endpoint. That combination creates an unannounced external exposure path and weakens trust verification of the remote host, increasing the risk of interception, misuse, or accidental publication of a local-only service.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill's core feature set includes collecting click metadata through redirect links and storing it for personalization. Even if intended for recommendation quality, this is sensitive behavioral telemetry, and the combination of tracking plus persistence creates meaningful privacy risk if users are unaware or if logs are exposed.

Ssd 3

High
Confidence
99% confidence
Finding
The guidance explicitly says to log the source IP and target URL for every click, which captures identifiable user metadata and browsing behavior in plain form. This data can be misused for profiling, surveillance, or deanonymization, especially when exposed through a public-facing redirect service.

Ssd 3

High
Confidence
98% confidence
Finding
The documented log format stores timestamp, source IP, and destination URL in plain text under /tmp, making sensitive clickstream data easy to read by local processes or operators. Plain-language persistent logs increase the risk of unauthorized disclosure, accidental leakage, and secondary use beyond the original purpose.

Ssd 3

Medium
Confidence
92% confidence
Finding
The workflow instructs the system to query prior click logs and use that behavioral history to alter future outputs, creating a profiling mechanism tied to observed user activity. In context, this is the intended personalization feature, but it remains privacy-sensitive because it builds user preference models from tracked interactions without clear safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal