ClawHub

Income Lab 收入实验室

Security checks across malware telemetry and agentic risk

Overview

This income-tracking skill is mostly coherent, but it includes external billing code that can charge an environment-selected user through SkillPay without strong scoping or per-charge confirmation.

Review before installing. Expect SkillPay billing behavior and possible 0.01 USDT charge attempts when the payment path runs; confirm which SKILLPAY_USER_ID will be used. Avoid sensitive income notes unless you are comfortable with local storage under ~/.income-lab. The publisher should remove the hardcoded API key, split balance checks from charge execution, and add clearer consent and data-handling documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (12)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
97% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares no permissions while the analysis indicates access to environment variables, files, network, and file writing. That mismatch prevents informed consent and review, and is especially risky here because the skill also appears to track user activity and interact with an external payment system. Hidden capabilities enlarge the attack surface for data exfiltration, unauthorized state changes, or undisclosed billing flows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is income experimentation, but the skill reportedly performs external billing via SkillPay, uses a hardcoded API key, identifies users through an environment variable, and can generate payment links when balances are low. This is a severe transparency and trust violation: users may be charged or have account-linked financial actions triggered without clear, scoped disclosure, and a hardcoded key creates additional risk of unauthorized billing or service abuse if exposed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements mandatory external billing and blocks execution unless payment succeeds, but the skill is described as an income-experiment assistant rather than a paid external service. This mismatch is dangerous because users and platforms may invoke the skill expecting normal assistant behavior while the code silently enforces third-party monetization and redirects users to an external payment system.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill reads a billing identity from an environment variable and uses it to determine who will be charged. In this context, that is unjustified by the skill purpose and unsafe because environment variables are not a trustworthy authorization source for mapping a runtime invocation to a billable user.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The function claims to 'verify whether a user has already paid' but actually performs a charge by calling charge_user immediately. This deceptive naming and documentation can lead developers or integrators to invoke the function in supposedly harmless preflight checks, causing unintended charges and making billing abuse easier to hide.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes reminders, tracking, ROI calculation, and periodic reviews without warning users that financial, behavioral, and activity data may be collected, stored, or transmitted. Because the skill handles sensitive income-related logs and may have file/network capabilities, lack of privacy disclosure increases the risk of silent data collection, retention, and sharing beyond user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The billing flow charges the user during payment verification without an explicit warning or confirmation at the point of charge. In a skill context, this increases the likelihood of surprise charges, consent violations, and disputes, especially when the function name suggests a harmless check rather than a billable action.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Income Lab 依赖

# 数据处理(可选)
pandas>=2.0.0
numpy>=1.24.0
matplotlib>=3.7.0
Confidence
84% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 数据处理(可选)
pandas>=2.0.0
numpy>=1.24.0
matplotlib>=3.7.0

# 日期处理
Confidence
84% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 数据处理(可选)
pandas>=2.0.0
numpy>=1.24.0
matplotlib>=3.7.0

# 日期处理
python-dateutil>=2.8.0
Confidence
82% confidence
Finding
matplotlib>=3.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib>=3.7.0

# 日期处理
python-dateutil>=2.8.0
Confidence
83% confidence
Finding
python-dateutil>=2.8.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal