浅草寺.skill

Security checks across malware telemetry and agentic risk

Overview

This fortune-drawing skill presents itself as a local bundled experience, but its helper downloads and runs unpinned remote Python code from GitHub.

Review before installing. Only use this skill if you fully trust the external GitHub repository and accept that later changes there could alter what runs locally without a ClawHub package update. A safer version should bundle the fortune data and drawing code locally, or at minimum pin and verify any remote content and never execute downloaded Python.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 78% confidence
Finding: A fortune-drawing skill that claims to use bundled local data should not require undeclared file-write or network-capable behavior. If the skill can write files or reach the network without explicit permission declarations, it expands the attack surface for data exfiltration, remote payload retrieval, or persistence beyond the stated functionality.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill is presented as a self-contained local omikuji experience, yet the finding indicates it accesses GitHub/raw.githubusercontent.com, downloads executable code at runtime, and executes that code via runpy. That combination is highly dangerous because it enables arbitrary code execution controlled by external content, defeats review of the shipped skill, and allows behavior to change after deployment.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script contradicts the skill's stated behavior by downloading both code and fortune data from GitHub at runtime instead of using bundled local assets. This creates a supply-chain trust problem: anyone who can change the remote repository, branch contents, or network path can alter the skill's behavior after review, making the delivered functionality unverifiable and unsafe.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: The code downloads a Python file from the internet and immediately executes it with runpy.run_path, which is equivalent to running untrusted remote code on the host. For a simple omikuji-drawing skill, there is no legitimate need for dynamic code execution, so the behavior is especially dangerous and strongly indicative of a serious supply-chain or arbitrary code execution risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill silently retrieves and runs remote code without any user disclosure, consent, or visible warning, preventing users and reviewers from understanding the true execution behavior. In this context, the mismatch is more dangerous because the skill is presented as a harmless ritual fortune draw, so users would not reasonably expect hidden network activity and code execution.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal