ClawHub

Kaggle

Security checks across malware telemetry and agentic risk

Overview

The skill is openly a Kaggle automation bundle, but it can use live Kaggle credentials to create, upload, submit, and edit account resources with weak confirmation and unsafe secret-handling guidance.

Review this carefully before installing. Do not paste Kaggle API tokens or keys into chat; place them locally yourself and keep permissions strict. Use dry-run/status modes first, avoid running badge phases on an important account, and require explicit confirmation before any upload, notebook push, competition submission, profile edit, delete, or scheduled streak action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only allowed-tools but no explicit permission model despite clearly instructing use of shell commands, environment variables, and local credential files. This creates a mismatch between what the skill can do and what a reviewer or runtime policy may expect, increasing the chance of unintended credential access or filesystem modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is explicitly designed to automate Kaggle badge acquisition rather than provide normal user-requested Kaggle assistance. This is risky because it enables deceptive reputation farming and account actions that may violate platform rules, creating trust, compliance, and abuse issues beyond the stated skill purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script mass-creates notebooks, datasets, and models with autogenerated content solely to earn badges, which operationalizes platform abuse at scale. In the context of a general Kaggle skill, this is more dangerous because it turns a broad assistant surface into an automated account-manipulation tool capable of unwanted uploads and policy violations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads Kaggle credentials from environment variables or ~/.kaggle/kaggle.json even though the browser actions shown do not actually use those secrets to authenticate. Unnecessary access to sensitive credentials expands the skill's privilege surface and creates risk of accidental disclosure, misuse in later code changes, or user surprise because the credential access is not clearly disclosed.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script's docstrings repeatedly state that it publishes private datasets and models, but the implementation does not enforce any privacy setting or verify that the created resource is actually private. In a skill centered on Kaggle uploads, this mismatch can cause operators to unintentionally publish sensitive data or proprietary models with the wrong visibility, especially if they rely on the script's documentation rather than the underlying library defaults.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger text is extremely broad, causing the skill to activate for almost any Kaggle-related mention, including casual questions that do not require credential handling or shell execution. Over-broad activation expands the attack surface by unnecessarily loading a high-privilege skill into contexts where a safer read-only response would suffice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs storing Kaggle credentials in local files and environment variables, but the warning is limited and appears after operational guidance rather than before the write actions. That can lead users or agents to persist secrets locally without clear upfront consent, secure-path guidance, or least-privilege handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes automation that uses browser control and scheduled recurring execution against a live Kaggle account, but it does not clearly warn users that the skill may continuously perform actions on their behalf. That omission can lead to unsafe deployment, unintended account activity, rate-limit or policy violations, and harder incident response because users may not realize automation remains active after initial setup.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to configure KAGGLE_USERNAME and KAGGLE_KEY but provides no security guidance for handling these credentials. This increases the risk that users expose secrets in shell history, logs, screenshots, shared environments, or version control, which could allow unauthorized access to the Kaggle account and associated actions performed by the automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code performs remote Kaggle uploads and resource creation without any visible user-facing confirmation or warning in this file. That is dangerous because an agent could trigger persistent external account actions unexpectedly, causing unauthorized uploads, account clutter, policy violations, or reputational harm for the user.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script silently creates temporary files, notebooks, CSVs, READMEs, and metadata manifests on the local filesystem as part of its workflow. While lower impact than remote uploads, undisclosed local writes can still surprise users, interfere with environments, and create residual sensitive or misleading artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function performs a real Kaggle competition submission immediately, using the user's authenticated CLI context, without an explicit consent gate at the point of action. In an agent skill, this is dangerous because it can cause unintended remote side effects on a user's external account, including submissions, account activity, and possible competition-rule or rate-limit consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This path automatically discovers an active competition, downloads its data, extracts archives, and submits a file, all without prior user disclosure or approval. That combination of network access, local file writes, archive extraction, and external account actions creates meaningful risk in an autonomous skill because it can trigger unintended submissions and process untrusted downloaded content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code automatically selects a research/community competition, downloads competition artifacts, extracts them locally, and submits a file without explicit user warning. In the context of an agent skill tied to a real Kaggle account, these are high-risk side effects because they may violate user expectations, create unwanted account activity, and handle untrusted remote files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function writes a notebook and metadata locally, then pushes the notebook to Kaggle under the user's account without a consent prompt. In an agent setting, silently publishing or uploading assets to an external service is a genuine security concern because it creates remote side effects, may consume account resources, and could expose user identity or activity unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code creates a competition notebook on disk and immediately pushes it to Kaggle, again using the user's authenticated context and without advance disclosure. The skill context makes this more dangerous because the feature is expressly designed to automate badge collection, increasing the likelihood of repeated non-consensual remote actions across a user's external account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently reads sensitive Kaggle credentials from the environment or a local credential file without any user-facing notice or consent prompt. In an agent skill context, this is more dangerous because users may invoke badge automation expecting UI actions, not local secret access, so the behavior violates least surprise and can enable over-privileged data access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication section documents multiple ways to store or export Kaggle credentials but provides no caution about secret handling, shell history exposure, file permissions, or avoiding accidental disclosure in logs and notebooks. In a skill meant to guide users through Kaggle operations, this omission increases the chance that users expose long-lived API credentials while following the instructions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The reference includes remote delete commands without warning that they can permanently remove Kaggle datasets/models/kernels or require confirmation awareness. In an agent skill context, concise command references may be turned into direct operational guidance, making accidental destructive actions more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The upload/create/version/push commands can publish local files, metadata, notebook contents, and model artifacts to Kaggle, yet the document does not warn about data exfiltration or accidental publication. Because this skill covers datasets, notebooks, and models, the missing warning is more dangerous than in a purely passive reference: agents may use these commands on behalf of users and transmit sensitive local content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference includes credential-setting examples for username, API key, and API token without any warning about secret handling, storage, logging, or least exposure. In an agent skill context, this can encourage users or downstream code to place secrets directly in prompts, source files, notebooks, or logs, increasing the risk of credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The reference documents tools that can create, update, delete, submit, and publish Kaggle resources, including private datasets and model assets, without explicit warnings about irreversible actions, privacy exposure, or the need for user confirmation. In an agent skill context, this increases the chance an assistant could carry out destructive or privacy-impacting operations on behalf of a user without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly tells the agent to ask the user to provide a newly generated Kaggle API token, which normalizes sharing a live secret in chat. Even though the surrounding text includes some storage hygiene guidance, it does not warn that the agent should never collect the token value itself, creating a clear secret-exfiltration risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instructions repeatedly direct the agent to obtain live Kaggle credentials from the user in chat, including both the primary token and legacy username/key pair. Collecting active credentials through conversational channels is dangerous because transcripts, logs, integrations, or downstream tools may retain or expose those secrets.

Credential Access

High
Category
Privilege Escalation
Content
- `modules/comp-report/scripts/competition_details.py` — Files, leaderboard, kernels per competition

**Kaggle Interaction (kllm):**
- `modules/kllm/scripts/setup_env.sh` — Auto-configure credentials (with .env loading)
- `modules/kllm/scripts/check_credentials.py` — Verify and auto-map credentials
- `modules/kllm/scripts/network_check.sh` — Check Kaggle API reachability
- `modules/kllm/scripts/cli_download.sh` — Download datasets/models via CLI
Confidence
80% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal