ClawHub

Book Writer

Security checks across malware telemetry and agentic risk

Overview

This book-writing skill mostly matches its stated purpose, but it needs review because some file writes are not safely confined and the installer upgrades unpinned packages.

Install only in a virtual environment, review the dependency list before running the installer, and avoid using sensitive prompts or manuscripts unless you are comfortable sending them to OpenAI/Google. Treat output paths as trusted input, and prefer normal filenames under generated_books until the skill adds path normalization and download limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"   💻 执行: {cmd}")

    try:
        result = subprocess.run(cmd, shell=True, check=True,
                              capture_output=True, text=True)
        if result.returncode == 0:
            print(f"   ✅ 成功")
Confidence
95% confidence
Finding
result = subprocess.run(cmd, shell=True, check=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents capabilities to access environment variables, read/write files, use the network, and invoke shell commands, but does not declare permissions or boundaries for those actions. In an agent ecosystem, undeclared powerful capabilities reduce transparency and consent, making it easier for the skill to overreach, expose secrets, or execute unintended operations during normal use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior goes beyond a simple writing assistant: it installs dependencies, inspects API key configuration, performs external searches, and downloads remote content. This mismatch is dangerous because users may invoke the skill expecting local content generation while it actually executes commands and transmits data externally, increasing the risk of supply-chain issues, secret exposure, and unsafe content ingestion.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file performs live external searches and arbitrary internet downloads, which expands the skill's trust boundary beyond simple AI-assisted book outlining/expansion. In this context, that creates privacy, supply-chain, and content-integrity risks because user prompts may be sent to third parties and remote content can be fetched and written locally without strong validation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users to provide API keys and use network-based material search, but does not warn that prompts, search terms, or generated-book context may be transmitted to external providers. This creates privacy and compliance risk, especially if users include proprietary manuscripts, research notes, or sensitive content in prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User-provided prompts and chapter context are sent to an external OpenAI API without any explicit notice, consent flow, or data-classification check in this file. If users provide sensitive manuscript content, proprietary material, or personal data, that information may be disclosed to a third party unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The download_image method retrieves attacker-controlled remote content and writes it directly to a caller-supplied filesystem path with no confirmation, allowlisting, path safety checks, size limits, timeout, or content validation. This can enable unsafe file writes, disk consumption, and persistence of malicious or unexpected content if higher-level code exposes these parameters to users or untrusted inputs.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
available_keys = []
    for key, description in api_keys:
        value = os.environ.get(key)
        if value:
            masked_value = value[:4] + "..." + value[-4:] if len(value) > 8 else "***"
            print_result(description, True, f"已设置 ({masked_value})")
Confidence
89% confidence
Finding
os.environ.get(key

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
pyyaml>=6.0
python-dotenv>=0.19.0
Confidence
95% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
pyyaml>=6.0
python-dotenv>=0.19.0
tiktoken>=0.3.0
Confidence
98% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
pyyaml>=6.0
python-dotenv>=0.19.0
tiktoken>=0.3.0
beautifulsoup4>=4.11.0
Confidence
98% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
pyyaml>=6.0
python-dotenv>=0.19.0
tiktoken>=0.3.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
90% confidence
Finding
python-dotenv>=0.19.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
python-dotenv>=0.19.0
tiktoken>=0.3.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
88% confidence
Finding
tiktoken>=0.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0
python-dotenv>=0.19.0
tiktoken>=0.3.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
90% confidence
Finding
beautifulsoup4>=4.11.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=0.19.0
tiktoken>=0.3.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
97% confidence
Finding
lxml>=4.9.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
pyyaml

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
76% confidence
Finding
python-dotenv

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
lxml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal