ClawHub

CineScope XHS

Security checks across malware telemetry and agentic risk

Overview

This is a coherent movie-review assistant that uses disclosed external search APIs, with the main caution that broad triggers may send movie-related queries to search providers sooner than expected.

Install if you are comfortable with a movie-review skill using external search services. Avoid including private personal details in movie questions, use dedicated Tavily or Bocha API keys, and prefer Markdown or ASCII chart output if you do not want HTML/JavaScript chart rendering.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

High
Confidence
96% confidence
Finding
The skill is configured to trigger on extremely broad, ambiguous user input, including merely mentioning a movie name with a question-like tone. This can cause unintended activation, leading to unnecessary external searches and data processing without clear user intent, which increases privacy and consent risk.

Vague Triggers

High
Confidence
94% confidence
Finding
Using 'including but not limited to' with common conversational phrases creates an open-ended activation scope that is difficult to bound or audit. In practice, this makes the skill prone to over-collection and accidental invocation, especially because the skill subsequently performs third-party searches.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mandates multi-source external data collection but does not require informing the user that their query may be sent to third-party services such as Tavily or Bocha. This creates a transparency and privacy problem because user-provided film titles, preferences, and possibly sensitive context are transmitted externally without explicit notice or consent.

External Transmission

Medium
Category
Data Exfiltration
Content
# 博查 API 备用搜索
# (当 Tavily API 异常时使用)
# API 文档:https://open.bochaai.com/
curl -X POST "https://api.bocha.cn/v1/web-search" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${BOCHA_API_KEY}" \
  -d '{"query":"夜王 电影 豆瓣评分"}'
Confidence
95% confidence
Finding
curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${BOCHA_API_KEY}" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Web Search API
curl -X POST "https://api.bocha.cn/v1/web-search" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $BOCHA_API_KEY" \
  -d '{"query":"夜王 电影 豆瓣评分"}'
Confidence
94% confidence
Finding
curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"夜王 电影 豆瓣评分"}' # Reranker API(可选,用于语义排序) curl

External Transmission

Medium
Category
Data Exfiltration
Content
**调用策略:**
1. 优先使用 `tavily-search` 进行主检索(支持 `--deep` 深度搜索)
2. 如 Tavily API 异常/无结果,降级使用 `博查 API`(Endpoint: `https://api.bocha.cn/v1/web-search`)
3. 需要获取具体页面内容时,使用 `tavily-search extract` 或 `web_fetch`

---
Confidence
88% confidence
Finding
https://api.bocha.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
# 博查 API 备用搜索
# (当 Tavily API 异常时使用)
# API 文档:https://open.bochaai.com/
curl -X POST "https://api.bocha.cn/v1/web-search" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${BOCHA_API_KEY}" \
  -d '{"query":"夜王 电影 豆瓣评分"}'
Confidence
95% confidence
Finding
https://api.bocha.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Web Search API
curl -X POST "https://api.bocha.cn/v1/web-search" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $BOCHA_API_KEY" \
  -d '{"query":"夜王 电影 豆瓣评分"}'
Confidence
94% confidence
Finding
https://api.bocha.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"query":"夜王 电影 豆瓣评分"}'

# Reranker API(可选,用于语义排序)
curl -X POST "https://api.bocha.cn/v1/rerank" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $BOCHA_API_KEY" \
  -d '{"query":"夜王 影评","documents":["文档 1","文档 2"]}'
Confidence
93% confidence
Finding
https://api.bocha.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal