ClawHub
Back to skill

Security audit

UAPI 查询 MC 曾用名 接口

Security checks across malware telemetry and agentic risk

Overview

This appears to be a low-risk Minecraft name-history lookup skill with some overly broad trigger wording, not evidence of harmful behavior.

Install only if you want Minecraft username history lookups. Be aware that broad trigger phrases may make an agent try this skill for server status or general player-profile questions; verify that results are specifically name-history data before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is documented as wrapping only `GET /game/minecraft/historyid` for Minecraft name history, but the keyword list also advertises `minecraft server status`, which is a different capability. This can cause incorrect tool selection and route user requests to an endpoint that cannot satisfy them, increasing the chance of misleading results, privacy mistakes, or unsafe downstream automation based on wrong assumptions.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The description includes trigger phrases that are not tightly scoped to the actual endpoint purpose, such as 'minecraft player lookup' and especially 'minecraft server status', which can match requests unrelated to name-history lookup. This can cause unintended invocation of the skill, leading the agent to select the wrong API and produce incorrect or irrelevant results.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The common-keyword section contains ambiguous English phrases like 'historyid' and 'minecraft player lookup' without contextual constraints, making accidental routing likely when users ask for broader Minecraft account or profile information. In an agent environment, ambiguous triggers increase the chance of selecting this skill for the wrong task and issuing mismatched API calls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal