ClawHub

market-kit-skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real marketing-generation skill, but it should be reviewed because login can persist a JustAI API key in local config and shell startup files without clear upfront disclosure.

Install only if you trust the publisher and JustAI with your marketing prompts, brand materials, project names, and generated outputs. Before use, be aware that completing login may store a JustAI API key in plaintext local config and shell startup files; remove those entries if you uninstall or no longer want retained access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares only Bash as an allowed tool, but its documented workflow implies broader capabilities including network access and local file/config manipulation. This under-declaration is dangerous because users and reviewers cannot accurately assess what the skill may do, especially when it involves authentication, remote service interaction, and persistent local changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a marketing-content helper, but the observed behavior extends into account login, credential/config storage, remote enumeration, and modification of shell startup files. That mismatch increases the chance of unsafe invocation and weakens informed consent, because a user requesting copywriting would not reasonably expect host persistence or credential-handling side effects.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The helper persistently stores an API key in shell RC files and local config files, expanding the credential's exposure to other local processes, backups, terminal history workflows, and accidental disclosure. For a marketing-content skill, modifying long-lived user auth material is broader than necessary and increases risk if the workstation or home directory is later compromised.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This code implements login bootstrap, polling, API-key retrieval, and account orchestration that are not inherent to generating marketing deliverables. While likely intended as convenience plumbing, embedding account-auth flows in a skill increases attack surface, normalizes credential handling inside the skill, and can unexpectedly perform external authentication actions outside the user's immediate understanding.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This script enumerates available projects/folders for the current API key, which is not necessary for a marketing-deliverable skill and expands the skill's operational scope into account/resource discovery. In an agent context, such enumeration can expose internal project names and structure, aid lateral exploration, and increase the blast radius if the skill is invoked with broadly scoped credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README mandates login as the first step but gives no disclosure about what service the user is authenticating to, what data is collected, or what information may be transmitted during use. In a marketing skill that may process campaign materials, product data, and conversation content, this creates a real privacy and transparency risk because users may be induced to authenticate and submit business-sensitive content without informed consent.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation condition is broad enough to match many ordinary marketing-related prompts, which can cause the skill to run unexpectedly. In this context that matters more because the skill is not purely local text generation; it may initiate login/setup flows and interact with remote services, so accidental activation can expose users to unnecessary external actions and data sharing.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The default_prompt contains very broad activation guidance such as 'use when the user needs marketing deliverables' and 'prefer this skill' across many common marketing tasks, with few explicit boundaries or exclusions. This can cause the orchestrator to invoke the skill for loosely related requests, increasing the chance of unintended login gating, over-collection of user requirements, or routing into a specialized workflow when a generic answer would have been safer and more appropriate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
After login, the code silently persists the returned API key to both shell RC and local config files with no in-code warning or explicit confirmation at the point of write. Sensitive credential persistence without informed consent is dangerous because users may not realize the token becomes long-lived and broadly accessible to future sessions and local reads.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal