ClawHub

AI公众号信息源

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate the promised AI article reports, but it also starts a credential-backed local search server and can install a recurring system task, so it needs review before use.

Install only if you are comfortable with a local report tool that contacts redfox.hk, keeps a local server running on 127.0.0.1:8765 for search, and can create a daily scheduled task when --subscribe is used. Prefer a dedicated low-privilege API key, avoid --subscribe unless you really want recurring execution, and review/remove the LaunchAgent or crontab entry if you enable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.abspath(__file__)
        cron_line = f"0 9 * * * /usr/bin/python3 {script_path} --no-open"
        try:
            subprocess.run(
                f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
98% confidence
Finding
subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        script_path = os.path.abspath(__file__)
        try:
            subprocess.run(
                f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
99% confidence
Finding
subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to generate reports, but it also installs and removes persistent scheduled tasks at the OS level. That broader behavior increases risk because it establishes recurring execution on the user's machine, which exceeds what many users would expect from a reporting tool.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The embedded local HTTP service exposes an API proxy endpoint in addition to serving the generated report. This broadens the attack surface and creates a local service that can forward queries using the configured API key, which is beyond the narrow purpose of static report generation.

Description-Behavior Mismatch

High
Confidence
100% confidence
Finding
The generated HTML is populated with the API key via string replacement, causing credential material to be embedded in an output artifact that may be opened, copied, shared, or inspected later. This can leak private API credentials to anyone with access to the report file or browser context.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill describes automatically generating local files, opening a browser, and enabling subscription behavior without a prominent warning that these actions affect the user's system state. Even if intended functionality, automatic side effects can surprise users, create persistence, or expose local content in ways they did not explicitly approve.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill states that it starts a local proxy service on port 8765 for real-time search, but does not clearly warn about local service exposure, data flow, or privacy implications. A background local service can expand attack surface, leak queried content, or conflict with other software if users are not informed about binding behavior and network scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The subscription installer modifies LaunchAgents or crontab entries without a detailed upfront warning about persistence, file paths, and recurring execution. Hidden or weakly disclosed persistence is risky because users may not understand that the tool will continue running automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal