ClawHub

AI视频号信息源

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its optional subscription feature stores an API key in a local scheduler file and uses unsafe shell-based cron edits on non-macOS systems.

Review before installing if you plan to use --subscribe. It will create a recurring local task, and on macOS it can save REDFOX_API_KEY in a plaintext LaunchAgent plist. Prefer one-off runs unless you are comfortable with that, and rotate or revoke the API key if you later remove the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.abspath(__file__)
        cron_line = f"0 16 * * * /usr/bin/python3 {script_path} --no-open"
        try:
            subprocess.run(
                f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
95% confidence
Finding
subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        script_path = os.path.abspath(__file__)
        try:
            subprocess.run(
                f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
97% confidence
Finding
subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation instructs use of environment variables, network access, local file writes, browser launching, and scheduled execution, but no explicit permission declarations or trust boundaries are present. This increases the risk that a user or agent invokes a capability-rich skill without clear consent for filesystem persistence, outbound requests, or task installation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill installs and removes OS-level persistence through launchd and crontab, which is broader than simple report generation and increases the blast radius of misuse. In this context it is somewhat justified by the advertised subscription feature, but it still changes host persistence and should be treated as sensitive behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads the API key from the environment and writes it into a LaunchAgent plist so scheduled runs can reuse it. Persisting credentials in plaintext on disk materially increases exposure through local file disclosure, backups, and support logs or screenshots.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation guidance is broad enough that ordinary user requests about AI trends, reports, or WeChat Video content could trigger the skill without clear boundaries. This increases the risk of unintended activation, causing the agent to call external data sources or produce reports when the user did not explicitly intend to use this specific skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README instructs users to invoke the skill with broad natural-language phrases like “直接用自然语言描述需求” and multiple loosely scoped examples, but it does not define clear activation boundaries, allowed operations, or constraints. In an agent environment, this can cause over-triggering or unintended execution in response to ambiguous user requests, increasing the chance that the skill is invoked in contexts the user did not clearly intend.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger description is broad enough that an agent could activate this skill for loosely related requests about AI content or reports, causing unintended network queries, local report generation, or subscription setup. Overbroad routing is dangerous because it can invoke a side-effecting skill outside the user's precise intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises automatic HTML report generation in a local directory and installation of a daily scheduled subscription, but it does not prominently warn that this creates persistent files and modifies scheduled tasks on the host. Users may unknowingly authorize recurring execution and accumulating local artifacts, which is especially risky in an agent context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The subscription flow writes persistent scheduler configuration and executes scheduler commands without a strong user-facing warning about those side effects. Silent or underexplained persistence is risky because users may not realize the script will continue running automatically and producing network requests or files.

Missing User Warnings

High
Confidence
98% confidence
Finding
Persisting the API key into a LaunchAgent plist without clearly warning the user creates a plaintext secret-on-disk issue with long-lived exposure. This is especially sensitive because the skill is a feed/report tool, so users may not expect credential storage outside the current shell session.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal