ClawHub
Back to skill

Security audit

GEO Master - 品牌AI可见性监控

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its brand-monitoring purpose, but it bundles under-documented external data flows, a public-facing API service pattern, and a hardcoded Tavily credential that require review before installation.

Install only if you are comfortable sending brand keywords and reports to third-party AI platforms, Tavily, and Feishu when configured. Leave the Feishu webhook empty or run with --no-push unless report delivery is intended, do not expose the bundled API server publicly, and replace or remove the embedded Tavily key before any real deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares only `allowed-tools: Bash(python3)` while the documented behavior clearly includes file access, environment variable use, network communication to external services, and webhook delivery. This creates a capability/permission transparency gap: reviewers and users may underestimate what data the skill can access or transmit, which is dangerous for a monitoring skill that handles brand names, API keys, and outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
A documented purpose/behavior mismatch is security-relevant here because the skill appears to do materially more than the user-facing description suggests, including server-mediated searches, external service dependence, API handling, upgrade/quota logic, and a separate Flask service. Hidden or under-disclosed behaviors increase the risk of unexpected data egress, secret exposure, and trust abuse, especially in a skill that claims to inspect third-party AI platforms locally.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The module treats the mere presence of a local GEO_API_KEY environment variable as proof of paid-tier entitlement and unlocks unrestricted features without any server-side verification. This enables trivial local bypass of licensing controls and undermines the integrity of quota enforcement.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill exposes functions that directly rewrite the local quota state to pro, enterprise, or free tiers with no authentication, integrity protection, or entitlement check. Any local caller or integrated component can invoke these functions to grant unauthorized premium access and tamper with billing or usage controls.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code accepts multiple keywords but only submits self.keywords[0] to every platform, while the tool presents itself as monitoring multiple brand terms. This creates a silent integrity issue: users may make business or compliance decisions based on incomplete results, believing all supplied keywords were checked when they were not.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The report prints all user-provided keywords as the detection target, but the search logic only checked the first keyword. This is a report-integrity flaw that can mislead operators into trusting coverage that never occurred, especially in a brand monitoring skill where output is likely consumed as evidence or KPI input.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to send report data to a Feishu webhook but does not warn that brand names, search queries, visibility results, and related analysis may be transmitted to an external third-party service. In a brand monitoring context, these inputs and results may be commercially sensitive, so the missing disclosure can lead to unintended data leakage or compliance issues.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad triggers such as `GEO`, `AI可见性`, and `竞品监控` can cause the skill to activate in contexts where the user did not intend external searches, scraping, or webhook pushes. For a skill with shell execution and network behavior, loose activation increases the chance of accidental invocation and unintended data transmission.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that professional mode uses server-mediated search and supports Feishu webhook pushing, but it does not clearly warn users that entered brand names, queries, results, and potentially related metadata may be transmitted to third-party services. Lack of explicit disclosure and consent is risky because users may assume processing is local while sensitive competitive intelligence is sent externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-supplied brand data is sent to a third-party service without any visible consent, minimization, or disclosure in this code path. In a monitoring product, this increases privacy and confidentiality risk because sensitive internal brand queries, campaign names, or undisclosed terms may be transmitted to an external provider.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends brand names and aggregated search-result snippets to an external AI service without any built-in user consent, disclosure, or data-classification guardrails. Even if this is expected product behavior, these inputs may contain sensitive business intelligence, third-party content, or internal monitoring data that should not be silently transmitted off-platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code automatically pushes the full generated report to a Feishu webhook whenever `push` is enabled, with no explicit consent prompt or in-band warning at the transmission point. Because the report includes search results and AI-generated analysis, this can leak sensitive brand-monitoring data or user-supplied keywords to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script automatically sends user-supplied brand keywords to multiple third-party AI platforms, but does not clearly warn about external transmission or privacy implications. In this skill context, keywords may include confidential campaign terms, unreleased products, client names, or sensitive competitive intelligence, so silent disclosure increases operational and privacy risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0
requests>=2.25
gunicorn>=20.0
Confidence
93% confidence
Finding
flask>=2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0
requests>=2.25
gunicorn>=20.0
Confidence
93% confidence
Finding
requests>=2.25

Unpinned Dependencies

Low
Category
Supply Chain
Content
flask>=2.0
requests>=2.25
gunicorn>=20.0
Confidence
93% confidence
Finding
gunicorn>=20.0

Known Vulnerable Dependency: flask — 8 advisory(ies): CVE-2025-47278 (Flask uses fallback key instead of current signing key); CVE-2018-1000656 (Flask is vulnerable to Denial of Service via incorrect encoding of JSON data); CVE-2019-1010083 (Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory u) +5 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
flask

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: gunicorn — 4 advisory(ies): CVE-2018-1000164 (Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers); CVE-2024-6827 (Gunicorn HTTP Request/Response Smuggling vulnerability); CVE-2024-1135 (Request smuggling leading to endpoint restriction bypass in Gunicorn) +1 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
gunicorn

VirusTotal

No VirusTotal findings

View on VirusTotal