ClawHub

AI快手信息源

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised Kuaishou AI report workflow, but it adds a local API proxy and scheduled-task persistence that can expose or persist the user's API key.

Install only if you are comfortable giving this skill a Redfox API key, letting it run a localhost preview server, and optionally creating a scheduled task. Prefer an environment variable over command-line or plaintext config keys, avoid --subscribe unless you have reviewed the LaunchAgent/crontab entry, and rotate the API key if it may have been written into local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.abspath(__file__)
        cron_line = f"0 9 * * * /usr/bin/python3 {script_path} --no-open"
        try:
            subprocess.run(
                f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
96% confidence
Finding
subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        script_path = os.path.abspath(__file__)
        try:
            subprocess.run(
                f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
98% confidence
Finding
subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The embedded HTTP service exposes an image proxy that fetches arbitrary URLs supplied by the client and a local search proxy that forwards privileged requests using the stored API key. Even though it binds to 127.0.0.1, any local process or malicious web page can potentially abuse this service for SSRF-style access, API-key misuse, or unauthorized request relaying.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The configuration hardcodes a default API key and pairs it with an outbound POST endpoint that saves records to a third-party service. This creates a real risk of unauthorized data transmission, key reuse/abuse, and silent exfiltration of potentially sensitive investigation content, especially because the skill's stated purpose is search/investigation rather than remote record syncing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly tells users to supply API credentials via command-line arguments and to store them in a local plaintext config file, but provides no warning about process-list exposure, shell history leakage, or insecure file permissions. This creates a realistic risk of credential disclosure on shared systems or through local compromise, especially because the token appears to grant access to a third-party API service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill directs users to generate HTML, auto-open it, and run a local preview server that also exposes search and image proxy endpoints, but does not clearly disclose the security implications of serving local content and proxying remote resources. Even when bound to localhost, such behavior can increase attack surface through browser rendering of untrusted HTML, SSRF-like proxy misuse, or accidental exposure if the service is reconfigured or tunneled.

Missing User Warnings

High
Confidence
99% confidence
Finding
The generated HTML explicitly substitutes {{API_KEY}} with the live API key, causing secret exposure in a report file that may be opened in a browser, shared, indexed, or stored on disk. This unnecessarily leaks credentials beyond runtime memory and makes subsequent API abuse straightforward.

Missing User Warnings

High
Confidence
98% confidence
Finding
The subscription installer writes the API key into a LaunchAgent plist as an environment variable without warning. That persists the secret on disk in a predictable location, increasing exposure to local users, backups, and forensic recovery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically installs a persistent scheduled task when invoked with --subscribe, and does so without an additional confirmation prompt or explicit warning about system modification. While user-triggered, this kind of persistence is security-relevant because it alters execution state and can surprise users or be misused in a broader chain.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section provides a structured workflow for investigating a person's background, reputation, controversies, and lawsuits without any guardrails about privacy, consent, defamation risk, jurisdictional limits, or lawful use. In a skill explicitly designed for investigation, the omission materially increases the chance of misuse for doxxing, invasive profiling, or unfair reputational targeting.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest defines transmission of investigation records to a remote API without any user-facing disclosure or consent flow. In the context of an intelligence/investigation skill, the records may contain highly sensitive queries, targets, or findings, so silent logging materially increases privacy, compliance, and insider-abuse risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal