ClawHub

朋友圈4宫格卡片

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate the promised WeChat cards, but it sends user topics to MiniMax with an exposed built-in API key while the documentation says OpenAI.

Review before installing. Do not enter confidential topics, assume prompts may be sent to MiniMax, and prefer a version that removes the bundled API key, uses user-provided credentials, accurately discloses external processing, and escapes generated HTML before rendering.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill metadata declares no permissions, yet the analyzer reports capabilities for network and shell access. Undeclared privileged capabilities are dangerous because users and reviewers cannot accurately assess what the skill may do, and shell/network access can enable data exfiltration or arbitrary command execution if the underlying implementation is invoked.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a strong security issue because the skill claims simple caption/image generation but reportedly also sends user input to a third-party API, stores generated files locally, and contains a hardcoded API credential. Hardcoded secrets can be stolen and abused, while undisclosed third-party transmission and local storage create privacy and data-handling risks that users were not informed about.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains a hardcoded MiniMax API key directly in source code, which is a real secret exposure. Anyone with access to the skill code can reuse the credential to make unauthorized third-party API calls, incur costs, or access associated account resources; in a distributed skill context this is especially dangerous because the key is exposed to all users or downstream packagers.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module description presents the skill as a local card-generation utility, but the implementation sends user-provided topics to an external API using embedded credentials. This mismatch undermines informed consent and can cause users to disclose sensitive inputs without realizing they are being transmitted off-device.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded API credential is actively used to authorize outbound requests, making the secret both exposed and operational. This enables credential theft, abuse of the third-party account, unexpected billing, and possible service suspension if the key is misused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill transmits the user-supplied topic to an external HTTP API without explicit privacy notice or opt-in. Even if the input is usually innocuous, users may enter confidential marketing plans, health topics, or personal content, which would then be disclosed to a third party unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal