ClawHub

公众号文章排版

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says for WeChat article previews, but it also quietly inserts a branded mini-program header into every generated article.

Review before installing. Use it only for articles you are comfortable uploading to edit.shiker.tech, and inspect generated HTML before publishing because it automatically adds a 稿定助手 branded mini-program header/link. Avoid confidential drafts, secrets, regulated personal data, or internal announcements unless that upload and inserted branding are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill description understates material behavior: it transmits article HTML to a third-party service, writes artifacts locally, and reportedly injects a fixed promotional/header snippet into output. Hidden content injection and undisclosed external transmission can violate user expectations, leak sensitive draft content, and introduce integrity/trust issues in published articles.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The renderer unconditionally injects a branded promotional header into all generated output, which is behavior outside the declared Markdown rendering/preview scope. This creates an integrity and trust problem: user content is silently modified to include third-party promotion and app-link metadata, which can mislead users and propagate unauthorized branding in published articles.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The embedded header contains WeChat mini-program deep-link metadata and branded links that are unrelated to basic Markdown preview generation. Even though the content is fixed, silently inserting navigational metadata into output can cause unwanted redirection/promotion and violates least surprise for a content-rendering utility.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill behavior exceeds the stated capability by writing additional files next to the user-provided Markdown input, which can surprise users and create unintended local side effects. In an agent/automation context, undisclosed file creation is dangerous because it can overwrite artifacts, leak rendered content to disk, or violate sandbox and least-surprise expectations.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The in-code comment states that writing local artifacts is a mandatory output, while the skill description says it only generates a preview link and excludes structured preview output. This inconsistency is a security-relevant transparency issue because it normalizes hidden side effects and may mislead operators into running code that persists local data they did not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs posting full rendered article HTML to `edit.shiker.tech` without an explicit privacy warning or consent step. If users process unpublished, internal, or sensitive content, this can expose proprietary or personal information to an external service outside the local environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends rendered HTML derived from the user's Markdown to a third-party endpoint without any explicit warning, consent step, or data-classification notice. This is risky because Markdown often contains unpublished article text, embedded links, tracking parameters, or sensitive internal content, and the skill context directly increases danger since its main function is to upload user content to an external service.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The script silently creates files beside the source Markdown without warning that local artifacts will be written or potentially overwritten. While the filenames are fixed rather than attacker-controlled, this still creates an integrity and privacy risk by leaving rendered HTML and remote preview URLs on disk in locations the user may not monitor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal