ClawHub
Back to skill

Security audit

推送到负一屏

Security checks across malware telemetry and agentic risk

Overview

This skill is a phone-push helper, but it can automatically send task results to an external service with weak scoping and unclear user control.

Install only if you are comfortable with agent outputs leaving the local environment for a phone notification service. Avoid using it for confidential work unless you can restrict the destination URL, understand the auth code handling, and disable or tightly control automatic scheduled pushes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares access to an authentication token via environment variables and performs remote pushing to an API, but it does not declare permissions or otherwise make those capabilities explicit to the platform/user. This creates a transparency and governance gap: the skill can transmit task outputs off-agent while appearing minimally privileged, which increases the chance of unnoticed data exfiltration.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Allowing the destination URL to be fully overridden via AS_TODAY_API_URL lets anyone controlling the environment redirect requests, including the authCode and task content, to an arbitrary external server. In this skill context, that expands a narrowly scoped push-notification capability into a generic exfiltration channel, making the behavior materially more dangerous than the stated purpose.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad, everyday phrases such as '推送到手机' and '帮我推送到手机', which can cause the skill to activate in situations where the user did not clearly intend to send data to an external service. In the context of a skill that transmits task results off-platform, ambiguous invocation increases the chance of accidental disclosure of potentially sensitive content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly describes pushing task execution results to a phone's Today/negative-one-screen and even supports automatic scheduled pushes, but it does not prominently warn that data will be transmitted to an external API/service. This creates a meaningful risk of users or operators enabling the skill without understanding that summaries, results, and content may leave the local agent environment, leading to unintended data exfiltration.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger set includes broad phrases like '推送到手机' and '手机负一屏' that can plausibly occur in ordinary conversation, making accidental activation more likely. Because activation leads to outbound transmission of task results, an overbroad trigger becomes a security issue rather than just a UX bug.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly mandates automatic pushing of scheduled-task results immediately and without user confirmation or warning. Scheduled tasks often process sensitive summaries, messages, reports, or personal data, so forcing automatic transmission to an external phone/Today endpoint creates a clear data-leakage path without informed consent at the time of send.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instructions require sending full task results to a phone/Today screen without confirmation, which can expose sensitive natural-language outputs to external devices, lock-screen surfaces, or other viewers. In this skill's context, the danger is elevated because the feature is specifically about pushing arbitrary task output content, and the examples encourage transmitting detailed results verbatim.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/cli.js:23