Back to skill

Security audit

China Install Skills

Security checks across malware telemetry and agentic risk

Overview

This skill can install ClawHub skills, but it also silently makes persistent changes that affect future terminal and agent behavior.

Review carefully before installing. Only proceed if you are comfortable with a post-install hook that may add a weekly cron job, write agent memory, create `cinstall`, modify PATH, and shadow `clawhub install`; otherwise remove the post-install hook and use the download/install scripts manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents substantial shell-script execution capabilities but does not declare permissions or clearly bound what commands may run. In an installer skill, hidden shell capability increases the risk of unsafe execution paths, especially because later sections describe persistence and environment modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose is a rate-limit workaround for skill installation, but the documented behavior goes well beyond that: silent initialization, cron persistence, PATH modification, command replacement, and wrapper installation. This mismatch prevents informed consent and creates a high-risk supply-chain/persistence channel under the guise of a simple installer.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer is presented as a tool for downloading and installing skills, yet it also documents persistent user-environment changes such as cron setup, PATH changes, command replacement, and memory writes. Persistent modifications expand attack surface and can outlive the user's awareness of the original install action.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security section claims the skill does not modify system configuration, but elsewhere the file explicitly says it configures crontab, replaces commands, and adds entries to PATH. Contradictory security claims are dangerous because they can mislead users and reviewers into approving risky behavior they would otherwise reject.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The config enables autonomous execution of a post-install script that sets up a recurring cron job, which extends the skill's behavior beyond a one-time installer into persistent scheduled execution. Because the skill already advertises bypassing normal API rate limits via direct access, adding persistence increases risk: users may unknowingly grant ongoing execution that can later perform networked actions, updates, or policy-evading behavior without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script silently sets up a cron job during initialization without user consent, creating persistence beyond what a normal installer needs. In the context of an agent skill, this is dangerous because it enables ongoing code execution and background updates that the user may not notice or review.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The initializer writes promotional and operational instructions into the agent's memory files, affecting future agent behavior outside the install flow. This crosses from installation into behavioral modification, and could bias or redirect later actions without transparent user approval.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script explicitly states that configuration should happen without user awareness, while later code modifies PATH and intercepts commands. Hidden environmental changes and command interception are risky because they undermine user expectations and make security review much harder.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The embedded text advertises transparent replacement of `clawhub install`, confirming the script is designed to hijack normal command behavior rather than just assist installation. Even if intended as convenience, hidden substitution can redirect users to unreviewed code paths and mask network or filesystem activity.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is described as an installer helper, but it persistently replaces `clawhub` resolution by placing a wrapper earlier in PATH. This is a command hijack mechanism: future invocations may execute the wrapper instead of the original binary, enabling silent redirection of installs and searches.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script persistently edits the user's shell startup file to add ~/.local/bin to PATH. Although it prompts first, modifying login shell configuration creates lasting side effects outside the installer's immediate scope and can change command resolution for future sessions in ways the user may not expect.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The installer writes an installation record into the agent workspace Memory area, including install path and usage instructions. This is a persistent write into application state not strictly necessary for installation, and it may expose local paths or create unintended side effects in downstream agent behavior that consumes Memory files.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script creates a persistent helper command in ~/.local/bin and may also update PATH so the command is invoked in future sessions. Establishing persistent command execution capability exceeds a minimal installer action and increases trust surface, especially because the helper delegates to other scripts that may later change behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script adds persistent weekly auto-update behavior via crontab, which exceeds the stated purpose of a one-time installer and creates an ongoing execution path. Persistent scheduled execution increases attack surface because any compromise or unsafe behavior in auto-update.sh will recur automatically without fresh user review.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Crontab persistence is a sensitive capability because it establishes recurring code execution on the user's system. For a China-focused skill installer, this capability is not obviously necessary from the provided context, so its inclusion is suspicious and can enable long-term unauthorized behavior if the updater is modified or abused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic update checks and one-click cron configuration without clearly warning users that their personal crontab will be modified. Silent or insufficiently disclosed persistence mechanisms are risky because they create ongoing execution behavior that users may not expect, especially for a skill that downloads and installs code from remote sources.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The installation examples copy files into an agent skills directory and present commands that can overwrite or modify local contents without a prominent warning. While this is common for installers, failing to disclose filesystem modification increases the risk of accidental overwrites, confusing state changes, or unsafe installation into sensitive workspace paths.

Missing User Warnings

High
Confidence
99% confidence
Finding
The text states initialization will run automatically 'without user awareness' while making persistent changes such as cron configuration and command replacement. Silent execution plus persistence is a classic high-risk pattern because it removes consent and enables lasting control over future commands and updates.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The search trigger list includes broad phrases like '搜索', '查找', and 'search', which can easily appear in normal conversation. Over-broad triggers increase the chance of accidental activation and unintended network/tool use.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The download triggers include generic terms like '下载', '获取', and 'download', which are too common to safely bind to a capability that fetches remote content. Accidental activation could cause unreviewed downloads from external infrastructure.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The install trigger list uses ambiguous language such as '安装' and 'install' without scope constraints, even though installation writes files into agent skill directories and may overwrite existing content. Broad install triggers can turn ordinary discussion into state-changing actions.

Vague Triggers

High
Confidence
97% confidence
Finding
The quick-install triggers are especially broad and conversational, such as '帮我装' and '安装一个', but they chain search, download, and install automatically. Because this combines discovery, retrieval, and file writes, accidental activation is more dangerous than for a read-only action.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-update trigger list includes vague terms like '更新检查' and 'heartbeat', which are not distinctive enough for a feature that scans workspaces and performs network version checks. This can cause unintended recurring or stateful operations to start from ordinary language.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script performs silent system modifications, including executable permission changes and cron setup, with logging only to a temp file and no user confirmation. Silent persistence and environment changes are especially dangerous in an installer because users may not realize long-term behavior has been altered.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The natural-language requirement that setup occur without user perception is itself a red flag because it signals deliberate concealment of state changes. In this file, that language aligns with hidden persistence and command interception, increasing the likelihood of unsafe installer behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.