ClawHub

AI小红书信息源

Security checks across malware telemetry and agentic risk

Overview

The skill’s main feed/report function is coherent, but its optional subscription mode creates persistent scheduled tasks and can store the API key on disk without clear warning.

Review this skill before installing if you plan to use subscriptions. One-shot report generation appears aligned with the stated purpose, but enabling --subscribe will add a recurring system task, and on macOS it may write your RedFoxHub API key into a LaunchAgent plist. Use a revocable API key, inspect/remove the scheduled task if you stop using the skill, and avoid subscription mode unless you accept that persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.abspath(__file__)
        cron_line = f"0 16 * * * /usr/bin/python3 {script_path} --no-open"
        try:
            subprocess.run(
                f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
97% confidence
Finding
subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        script_path = os.path.abspath(__file__)
        try:
            subprocess.run(
                f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -',
                shell=True, check=True, capture_output=True
            )
Confidence
98% confidence
Finding
subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs use of capabilities including environment-variable access, network access, local file writes, browser opening, and shell-style subscription setup, but does not declare permissions or clearly bound those behaviors. This creates a transparency and consent problem: users may invoke a seemingly simple content-feed skill without realizing it can persist data locally and install scheduled automation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill installs and removes LaunchAgent/crontab entries, creating host-level persistence beyond simple report generation. In an agent-skill context this is more dangerous because users may expect a one-shot data tool, not a component that modifies OS scheduler state and keeps running automatically.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads an API key from the environment and later persists it into a LaunchAgent plist for scheduled execution. Storing credentials on disk in scheduler configuration increases exposure to local disclosure, backups, logs, and unintended reuse by other processes or users with file access.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The advertised 'subscription' feature is implemented by modifying LaunchAgents and crontab, which is a persistence mechanism on the host. In the context of an agent skill, undeclared or lightly disclosed persistence is security-relevant because it changes system behavior after the initial run.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises daily auto-scan, report generation, auto-push, and archived reports, but it does not clearly disclose operational side effects such as sending user queries/content to an external API service, fetching third-party media, or creating/storing local or remote report artifacts. In a skill that processes external content and produces HTML reports, missing disclosure can mislead users about where data goes and what files or subscriptions may be created, increasing privacy and consent risks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README explicitly tells users to invoke the skill with unrestricted natural language and broad example phrases, which can cause over-broad routing or accidental activation beyond the user's precise intent. In an agent ecosystem, vague activation surfaces increase the chance that unrelated requests trigger external data fetching or report generation, expanding the skill's effective permission and attack surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mentions '一键订阅' and command flags for subscription, but the description does not clearly warn that enabling it installs a daily scheduled task and writes recurring reports to local storage. Users may unknowingly authorize persistence and background execution, which is especially risky in agent environments where scheduled tasks can continue running after the original interaction ends.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code reads the API key and inserts it into a LaunchAgent plist without explicit warning that the credential will be stored on disk. That creates a real secret-handling weakness because local users, backups, and support tooling may expose the credential.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic crontab modification occurs immediately on --subscribe without an explicit prior warning or confirmation dialog. In a skill ecosystem, silent persistence changes are risky because users may not realize the tool is altering recurring system tasks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal