ClawHub

AI抖音信息源

Security checks across malware telemetry and agentic risk

Overview

This skill’s report generation is coherent, but its optional subscription feature can install recurring tasks and may persist the user’s API key to disk without clear enough disclosure.

Install only if you are comfortable giving this skill a RedFox API key and letting it create local reports. Use subscription mode carefully: on macOS it may write the API key into a LaunchAgent plist, and on other systems it edits crontab. Prefer running reports manually unless you have reviewed the scheduled task and know how to remove it with --unsubscribe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.abspath(__file__)
        cron_line = f"0 16 * * * /usr/bin/python3 {script_path} --no-open"
        try:
            subprocess.run(
                f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
98% confidence
Finding
subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        script_path = os.path.abspath(__file__)
        try:
            subprocess.run(
                f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
99% confidence
Finding
subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs use of capabilities including environment variable access, network calls, local file writes, and shell execution, but does not declare any permissions. This creates a transparency and consent problem: users or platforms cannot accurately assess what the skill will access or modify before running it, especially since it stores reports locally, opens a browser, and supports subscription-based scheduled execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill's primary purpose is fetching and rendering a Douyin AI feed, but it also installs and removes persistent scheduled tasks via launchd and crontab. Persistence materially expands the trust boundary and can surprise users by causing recurring execution beyond the immediate task.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The installer reads the API key from the environment and embeds it into a LaunchAgent plist stored on disk. Persisting secrets in a world-readable or backup-exposed config file increases credential exposure and exceeds the stated feed-generation purpose.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README defines activation through very broad natural-language intents such as 'Simply describe your need in natural language' and multiple generic examples, but does not establish clear trigger boundaries, exclusions, or confirmation requirements. This can cause the skill to be invoked unexpectedly on loosely related requests about Douyin, AI trends, or reports, increasing the chance of unintended data retrieval, external API use, and user confusion about what action will be taken.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The subscription path stores the user's API key into a LaunchAgent plist without prominently warning that a secret will be persisted to disk. This lack of transparency prevents informed consent and can lead to accidental credential exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code modifies the user's crontab automatically when --subscribe is used, without an additional confirmation step or explicit warning about persistence. Silent system configuration changes are risky because they can create recurring execution the user did not fully understand.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The unsubscribe logic automatically unloads and removes scheduled tasks without a confirmation step. Although less dangerous than silent installation, unannounced system task modification can still confuse users and remove unrelated entries if matching logic is too broad.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal