ClawHub

Nova权限系统

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local permission system, but its authorization checks can fail open and it persists identity data and secrets in ways users should review before installing.

Install only if you are comfortable with a workspace-wide permission gate that stores local identity/profile data. Before relying on it for real access control, change fail-open authorization paths to fail closed, hash or remove plaintext codes, avoid echoing secrets, narrow the AGENTS.md rules, and add clear retention/deletion controls for logs and memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill describes installation and use of file operations, configuration changes, and inter-skill calls, but the metadata declares no permissions. This mismatch prevents hosts and reviewers from accurately understanding the skill's effective capabilities, increasing the chance of unintended file access or modification during deployment.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The verification flow is effectively fail-open: check_verification_answer() returns True even when there is no reliable evidence, and its final default branch also returns True. As a result, an unverified user can be bound to an existing user_id and promoted to friend, enabling identity takeover and unauthorized access based on weak or nonexistent authentication.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This identity-management module stores long-term memories, key facts, and conversation summaries that are not necessary for core authentication. Combining authentication data with persistent personal profiling increases the blast radius of compromise and creates unnecessary exposure of sensitive personal information.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims it may recognize an existing user, but in all cases it creates a new user and binds the provided platform account to that new record. This enables identity confusion and duplicate-account creation, undermining integrity of the identity store and potentially bypassing any workflow that assumes a name match corresponds to a known person.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The middleware is described as enforcing permission checks at the message entry point, but the implementation explicitly allows requests when identity is missing, when test mode excludes an account, when checks are disabled in config, and when exceptions occur. In an authorization boundary, fail-open behavior turns routine errors or malformed requests into authorization bypasses, allowing privileged actions to proceed without a verified user or successful permission decision.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The document says routine chat does not require this skill, yet it also states every conversation must first determine the user's identity. This inconsistency can cause implementers to skip checks in some paths or perform partial checks inconsistently, which is a classic source of authorization bypass and unpredictable enforcement.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The document says routine chat does not require this skill, yet it also states every conversation must first determine the user's identity. This inconsistency can cause implementers to skip checks in some paths or perform partial checks inconsistently, which is a classic source of authorization bypass and unpredictable enforcement.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation condition is written broadly enough that ordinary requests about relationships, trust, roles, or permissions could trigger this skill even when the user is not actually attempting identity verification. In this context, the skill is marked with always=true and described as mandatory, which increases the chance of unnecessary invocation and can interfere with normal conversation flow or route users into an authentication path without clear need.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill content is entirely in Chinese and prescribes Chinese-language responses without any opt-in, locale detection, or justification. This can cause the assistant to switch languages unexpectedly during a sensitive authentication workflow, increasing the risk of user confusion, failed verification, or accidental disclosure if the user does not understand the prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code extracts personal facts from user messages and persists them to disk without any visible notice, consent, or disclosure in this flow. Silent collection of profile attributes can expose users to privacy harm and regulatory risk, especially when the data is retained alongside identity records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module saves conversation summaries persistently when users say goodbye, but the code does not warn users that their conversations will be retained. Retaining conversational content without transparency can violate user expectations and increase privacy impact if the storage is accessed or leaked.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code persists audit records containing user identifiers such as open_id and user_id, along with operation details, to a predictable on-disk log file. While audit logging is a legitimate feature, storing potentially sensitive identifiers and contextual details without minimization, retention controls, access restrictions, or redaction increases privacy and data exposure risk if the file is read by unauthorized users or included in backups/log aggregation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persistently stores platform identifiers and creates account records for previously unseen users without notice or consent. In a conversational skill, silently collecting and retaining stable identifiers increases privacy risk, enables tracking across sessions, and may violate user expectations or policy requirements.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Binding a platform account to a user record creates a durable identity linkage, but this function performs the linkage without any verification that the claimant is actually that user and without user-facing disclosure. If invoked from an untrusted flow, it can wrongly associate accounts, leading to impersonation, privacy violations, and downstream authorization errors.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function stores user-provided names and role metadata persistently without informing the user. In this skill context, names are personal data and roles affect authorization decisions, so silent collection and storage create both privacy risk and integrity risk if data is inaccurate or maliciously supplied.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
When check_request encounters an exception during permission validation, it logs the error and returns allowed=True, which converts internal faults into successful authorization. An attacker can exploit parser/import/runtime failures or dependency issues to trigger the exception path and execute privileged actions without having execute permission.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The specific permission-check helper also fails open on exceptions, returning allowed=True even when the permission backend or import path breaks. Because this helper accepts arbitrary permission names, any subsystem relying on it for write/admin/execute enforcement can be bypassed whenever an error is induced or occurs naturally.

Ssd 3

High
Confidence
98% confidence
Finding
The application-submitted response template includes '暗号:{code}', which instructs the assistant to repeat the user's secret authentication code back in natural language. Echoing secrets into chat transcripts materially increases exposure to logs, screenshots, conversation history, observers, and downstream systems that may store or process the response.

Hidden Instructions

High
Category
Prompt Injection
Content
在你的工作区 `AGENTS.md` 文件中添加以下安全规则:

```markdown
<!-- security-rules-start -->
## 🔒 Security Rules (Mandatory)

### 1. Permission Check (Required)
Confidence
93% confidence
Finding
<!-- security-rules-start --> ## 🔒 Security Rules (Mandatory) ### 1. Permission Check (Required) **Before executing ANY non-conversational operation, you MUST call permission-gate skill first!** ##

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal