ClawHub

全网热点追踪

Security checks across malware telemetry and agentic risk

Overview

The skill’s purpose is clear, but it sends an API key over HTTPS while deliberately disabling certificate verification, which makes credential interception or response tampering a real review concern.

Install only if you are comfortable giving this skill a RedFox API key and making calls to redfox.hk. The code should be fixed to keep normal HTTPS certificate verification enabled before using a real key, and users should avoid enabling any subscription/push behavior unless the schedule, delivery channel, and cancellation flow are explicit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation indicates capabilities to read environment variables, perform network access, and write files, but no permissions are explicitly declared. This creates a transparency and consent problem: the agent may access secrets like API keys and persist fetched data locally without users or the hosting platform being able to apply clear permission boundaries. In this context, those behaviors are partly expected for a hot-trend aggregator, but they still require explicit declaration because they handle external data and local storage.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond simple hotlist aggregation by reading an API key from the environment, writing complete data to a local file, and reportedly disabling SSL certificate validation during third-party requests. The SSL-bypass aspect is the most serious because it can enable man-in-the-middle interception or tampering of API responses and credentials; local file output also increases the chance of unintended data exposure through path leakage or unsafe file handling. The skill context makes network access expected, but not insecure transport or undocumented persistence.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script writes the full fetched dataset to a local temporary file and then exposes that path in its output. In an agent or multi-tenant runtime, this can unnecessarily persist potentially sensitive query results on disk and make later access easier for other tools, logs, or users that can read the path.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The comment documents an intentional design choice to avoid repeat API calls by storing complete data in a temp file and revealing its location. That behavior increases data exposure and normalizes disk persistence as part of routine output, which is risky in shared execution environments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README advertises very generic trigger phrases such as 'Hot ranking', 'trending list', and platform names, which can easily overlap with ordinary user conversation and unintentionally invoke the skill. In an agent environment, overbroad activation can cause unintended external API calls, retrieval of third-party data, or creation of workflows the user did not explicitly mean to trigger.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes scheduled subscription pushes but does not warn users that this creates an ongoing automated task that may continue sending notifications or consuming API-backed operations after the initial request. Without clear disclosure and confirmation language, users may unknowingly enable persistent automation, leading to surprise notifications, unwanted data processing, or repeated external service usage.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented trigger phrases include very broad everyday expressions such as “热点榜”, “热榜”, and “微博热搜”, which can plausibly appear in normal conversation and cause accidental invocation. In a skill that can fetch external data and create subscriptions, unintended activation can lead to confusing behavior, unsolicited network calls, or users being funneled into follow-up actions they did not explicitly intend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises recurring subscription/push behavior but does not describe explicit consent, scheduling details, cancellation flow, or confirmation prompts before enabling persistent notifications. This is risky because a user could unknowingly authorize ongoing messages, creating spam/privacy concerns and reducing transparency around long-lived actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase “热点榜” is extremely broad and can overlap with ordinary user conversation or generic requests about trending topics. In an agent environment, this can cause unintended skill activation, routing user input into this skill when the user did not explicitly intend to invoke it, which may produce irrelevant results or interfere with safer/more appropriate handlers.

Vague Triggers

Medium
Confidence
91% confidence
Finding
“今日热点” is also a common natural-language phrase and lacks boundaries that distinguish skill invocation from general news-related discussion. This increases the risk of accidental triggering and unintended data retrieval behavior, especially in multi-skill systems where other news, search, or chat functions may be more appropriate.

Vague Triggers

Medium
Confidence
90% confidence
Finding
“昨天的热点” is a highly natural conversational expression rather than a distinct command, so it can easily collide with normal dialogue about past events. In practice this can cause the skill to hijack broad user queries, reducing reliability and potentially exposing platform-aggregated outputs when the user expected a general answer.

Vague Triggers

Medium
Confidence
89% confidence
Finding
“本周热点” is broad enough to overlap with ordinary requests for weekly news summaries and does not define clear invocation boundaries. In a shared assistant context, ambiguous matching can lead to incorrect tool selection, confusing responses, and degraded trust in the system’s intent routing.

Vague Triggers

Low
Confidence
81% confidence
Finding
Although less severe, “搜苏超” is a very short trigger that can be mistaken for a general search request rather than a command for this specific skill. The ambiguity is lower than the broader phrases above, but it can still misroute user intent in environments with multiple search-capable tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently writes the complete fetched dataset to a temporary file without user awareness. Even if the data is not highly sensitive, silent persistence expands the attack surface through disk residue, accidental disclosure, and access by other local processes or later workflow steps.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal