ClawHub

Keplerjai Bulletin Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is for KeplerJAI bulletin publishing, but it can automatically create live website posts using account credentials without a clear confirmation gate.

Install only if you control the KeplerJAI account and intentionally want automated bulletin publication. Prefer a scoped API token over cookies, use dry-run or review payloads before live posting, and do not enable cron unless recurring autonomous publication is explicitly desired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill describes capabilities to read/write files, access environment variables, use the network, and invoke shell-driven workflow components, but it does not declare permissions or boundaries explicitly. That creates an authorization and review gap: an agent or operator may approve or schedule the skill without understanding its effective access, increasing the chance of unintended data exposure, filesystem modification, or external publication.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The prompt instructs the agent to perform live publication to a production API, which is a real side effect beyond passive content processing or summary generation. In an agent context, this can cause unauthorized or premature publication of externally sourced content, creating integrity, reputational, and operational risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Requiring shell-level curl execution gives the agent unnecessary direct network side-effect capability for a task that could otherwise be handled through safer, constrained integrations. This expands the attack surface and makes it easier for prompt-controlled content to trigger arbitrary outbound requests or misuse production endpoints.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The prompt instructs the agent to perform live publication to an external production API, which materially exceeds the stated skill purpose of collecting news, validating JSON, and producing a summary. This creates an integrity risk because an agent can take irreversible external actions under a summarization-oriented skill without an explicit safety boundary or scoped authorization model.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Requiring shell-based curl execution against an external API grants the prompt a direct mechanism for outbound network writes that are not obviously necessary for a portable workspace summarization task. This increases the attack surface by enabling real external actions, bypassing safer structured integrations and making it easier for prompt content to drive unauthorized or hard-to-audit operations.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The script accepts a user-controlled --log-file path, resolves it, creates parent directories, and appends attacker-controlled content to that file without any restriction to a safe workspace directory. In an agent or automation context, this can be abused to modify arbitrary files writable by the process, leading to file integrity issues, log forgery, or persistence if sensitive config or startup files are targeted.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to issue live POST requests to a production publishing endpoint without warning, disclosure, or confirmation. Because the skill processes externally sourced news content and explicitly forbids pausing for human confirmation, it increases the chance of silent unauthorized publication and makes the side effect especially dangerous in this context.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The prompt is framed as a one-shot end-to-end task with broad operational instructions, but it does not define clear trigger conditions, scope guards, or when the workflow is appropriate to run. In practice this makes accidental invocation and overbroad execution more likely, especially because the same prompt also contains live external publication steps.

Missing User Warnings

High
Confidence
97% confidence
Finding
The prompt directs real POST requests to an external API without any user-facing warning that data will be transmitted and content will be published outside the agent environment. Hidden external side effects are dangerous because users may believe the task is local summarization while the agent is actually performing network writes to a live service.

Missing User Warnings

High
Confidence
99% confidence
Finding
The prompt explicitly says not to ask for human confirmation before carrying out publication actions. This removes a key safety control for irreversible external writes and makes accidental, unauthorized, or prompt-induced publication significantly more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal