ClawHub

Gajago Sns

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible SNS automation purpose, but it exposes a Gemini API key and gives broad, poorly scoped authority to run local tools, use fixed personal paths, and send generated content externally.

Review carefully before installing. The publisher should remove and rotate the exposed Gemini key, replace personal hardcoded paths and sample content with user-selected inputs, declare all dependencies and external services, require confirmation before Telegram sending or folder opening, and document how to stop any local server it starts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while explicitly instructing the agent to execute shell commands, start a local web server, invoke Python scripts, download files, and write outputs to local paths. This mismatch is dangerous because it obscures the real execution surface from reviewers and users, reducing informed consent and making unexpected system actions easier to smuggle in.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior and the analyzed behavior diverge materially: the skill claims to transform user-provided input into SNS assets, but the findings indicate hard-coded local content, filesystem access, and behavior not described in the public interface. Description-behavior mismatch is risky because it can conceal unauthorized file operations or execution paths under an innocuous-looking skill description.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill directs the agent to start a local development web app and shell out to external scripts as part of a chat-triggered workflow. That expands the attack surface significantly beyond normal text generation by introducing process management and arbitrary local execution, which can be abused or fail in unsafe ways on the host system.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill embeds a live Gemini API key directly in documentation and command examples, exposing a reusable credential to anyone who can read or copy the file. Hardcoded secrets can be abused for unauthorized API usage, billing fraud, and downstream compromise if the same key is reused elsewhere.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill downloads audio from an external site at runtime without clear user notice, integrity checking, or domain allowlisting. This creates a supply-chain and privacy risk because content generation now depends on remote third-party data that could change, fail, or be replaced unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs system- and data-affecting actions including file creation, starting a local app, downloading media, and transmitting results via Telegram without clear up-front warning or opt-in. This is dangerous because users may provide sensitive images or text expecting local generation, while the skill can persist data, launch processes, and move content across boundaries without meaningful consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that generated images and text will be sent to Telegram but does not provide a user-facing warning, consent step, or data-sharing boundaries. If users supply sensitive text or photos, the skill may transmit them to an external messaging platform unexpectedly, creating confidentiality and compliance risks.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file openly exposes and uses a sensitive API key with no handling guidance, making credential theft trivial. Anyone with access to the skill can reuse the key for unauthorized requests, incur costs, or tie abusive activity back to the owner.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill writes outputs to fixed local paths and automatically opens them in Finder without warning the user. This can expose generated content to other local users or processes, create privacy surprises, and cause unintended interaction with files on shared or monitored systems.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The ffmpeg command includes the -y flag, which forces overwrite of the destination MP4 without confirmation. In an automated agent context, this can silently destroy a previous output file or any file reachable via that output path if the path becomes reused or changed, increasing the risk of unintended data loss.

External Transmission

Medium
Category
Data Exfiltration
Content
### 2단계: Gemini API로 카피 생성
```bash
# 웹앱 API 호출
curl -s -X POST http://localhost:3000/api/copy \
  -H "Content-Type: application/json" \
  -d '{
    "text": "[입력내용]",
Confidence
80% confidence
Finding
curl -s -X POST http://localhost:3000/api/copy \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal