ClawHub

抖音每日TOP账号

Security checks across malware telemetry and agentic risk

Overview

The skill’s main ranking and report features match its purpose, but it includes recurring subscription setup and automatic local report opening that need closer review before installation.

Install only if you are comfortable giving the skill a RedFox API key, sending ranking query parameters to redfox.hk, and allowing it to create local report files. Treat subscriptions as persistent scheduled tasks and confirm how to view or cancel them. Avoid untrusted output paths or filenames, especially on Windows, and consider opening generated HTML reports manually rather than relying on automatic launch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if system == "Darwin":  # macOS
            subprocess.run(["open", str(abs_path)], check=True)
        elif system == "Windows":
            subprocess.run(["start", "", str(abs_path)], shell=True, check=True)
        else:  # Linux
            subprocess.run(["xdg-open", str(abs_path)], check=True)
        print(f"\n✓ HTML 报告已自动打开: {abs_path}", file=sys.stderr)
Confidence
95% confidence
Finding
subprocess.run(["start", "", str(abs_path)], shell=True, check=True)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation gives contradictory requirements for the mandatory `source` parameter: the request example uses `抖音每日最具影响力账号-ClawHub` while the warning says only `抖音每日最具影响力账号` will work. This can cause integrators to send the wrong constant, leading to failed requests or empty results and undermining reliability of downstream ranking analysis.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script performs an additional side effect beyond report generation by automatically launching the generated HTML in a local application. In a skill advertised for generating/downloading reports, unexpected program execution expands the attack surface and can surprise users, especially because the HTML includes remote JavaScript from a CDN.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README tells users to interact using unrestricted natural language without defining clear activation boundaries or supported intents. In an agent environment, overly broad triggering can cause the skill to be invoked for unintended requests, increasing the chance of inappropriate data access, unintended API usage, or execution of side effects such as report generation or subscription setup.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises automatic subscription push behavior but does not clearly warn users that this creates a persistent task with ongoing outbound notifications. Without explicit disclosure and confirmation, users may unintentionally authorize recurring messages or background processing, which can lead to privacy issues, spam-like behavior, and difficulty understanding or revoking the ongoing action.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The top-level description says the skill should be used whenever a user needs ranking queries, report downloads, or subscriptions, which is broad enough to trigger in many loosely related conversations. Over-broad routing can cause unintended invocation of a skill that performs network requests and file generation, increasing the chance of unnecessary data access or side effects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The listed trigger phrases include generic terms such as '最新推荐' and broad ranking/report wording that could match everyday requests outside this skill's scope. In context, this is more dangerous because the skill can fetch remote data, generate files, and set up automations, so accidental activation has non-trivial side effects.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The claim that 'any colloquial expression will automatically map' to a category is overly broad and lacks clear boundaries or confidence thresholds. In an agent skill, this can silently misclassify user intent, trigger unintended external queries, and return misleading ranking data when ambiguous terms are mapped without explicit confirmation.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill is designed to read an API key from environment variables and send requests to an external domain, but the documentation does not mention user-facing disclosure, consent, or data-handling boundaries. In an agent environment, this creates a transparency and privacy risk because user-supplied query details may be sent off-platform without clear notice, and implementers may not add proper credential-handling safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal