ClawHub

LBS Market Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill’s market-analysis function is legitimate, but it asks an agent-run browser to create AMAP account resources, accept an agreement, persist a login session, and write an API key to disk with weak user-control boundaries.

Review before installing. Prefer creating an AMAP Web Service key manually and providing it through your own secret-management process. Run the browser automator only if you intend it to operate inside your AMAP account, create app/key resources, accept the agreement checkbox, save session state in ./amap_session, and append the key to .env. Protect or delete the session directory, .env file, and any logs that may contain the key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs execution of code that accesses environment variables, writes to local files, and makes networked/API/browser-driven requests, yet no permissions are declared. This is dangerous because users and hosting systems cannot make an informed trust decision about secret handling, filesystem modification, and outbound connectivity before running the skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially overclaims analytical capabilities while also hiding higher-risk operational behavior: automated browser-based console interaction, login/session handling, credential creation, and local secret persistence. This mismatch is security-relevant because it can cause users to authorize execution expecting passive analysis, when the skill actually performs account-affecting actions and stores credentials locally.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script's behavior goes beyond market analysis and actively provisions developer credentials, extracts the resulting API key, and persists it locally. In an agent skill context, hidden credential creation/storage materially increases risk because it grants ongoing access to an external service account and is not necessary for passive analysis alone.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Writing a newly created API key into the project's .env file establishes local credential persistence without explicit disclosure or access controls. This is dangerous because .env files are often broadly accessible to other tooling, may be committed accidentally, and create a reusable secret outside the immediate automation session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs automated API key provisioning that appends a newly created credential to `.env` without a clear warning about modifying local files, persisting secrets, or the security implications of storing credentials on disk. This can expose secrets through accidental commits, permissive file access, shared workspaces, or later tool misuse, especially because the key is created through browser/account automation rather than supplied knowingly by the user.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill hard-codes Chinese search terms for AMAP queries without offering locale selection, translation, or justification, which can bias or break analysis for users, regions, or datasets that do not use those labels. In a market-intelligence and site-selection skill, this can systematically miss relevant POIs, distort density estimates, and produce misleading business recommendations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically checking the agreement box causes the tool to accept legal or service terms on the user's behalf without explicit acknowledgement. In a browser automation skill, this can bind the user or organization to terms they did not review and obscures meaningful consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Persisting a credential-like value to .env without prior disclosure is a real security issue because it creates a durable secret in a common project file that may be read by other processes or leaked through version control. The skill context makes this more dangerous because users invoking market analysis would not reasonably expect secret harvesting and local persistence behavior.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script sends user-supplied address/location data to the external AMAP API, which can expose sensitive geolocation information to a third party without any visible notice, consent flow, or minimization controls in the code. In a market-analysis skill, addresses may represent prospective sites, customer locations, or other commercially sensitive targets, making privacy leakage more significant.

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright
python-dotenv
Confidence
96% confidence
Finding
playwright

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright
python-dotenv
Confidence
98% confidence
Finding
python-dotenv

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
91% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal