ClawHub

高校招生监控

Security checks across malware telemetry and agentic risk

Overview

The skill’s main admissions-monitoring purpose is legitimate, but it under-specifies local report storage, QQ file sending, and cron-based automatic execution.

Review this skill before installing. It appears to scrape public school pages rather than steal credentials, and static scan/VirusTotal inputs did not show malware evidence, but only use it if you are comfortable with local report files being created and with any QQ sending or cron scheduling requiring explicit, separate confirmation. Prefer running it manually first, keep reports local unless you choose a recipient, and ask for the exact cron entry and removal command before enabling scheduled monitoring.

Publisher note

监控指定高校的研究生院/学院招生网站,自动提取最新通知。支持自动重试、错误分类提示

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes network access, local file creation, and file handling, but it does not declare permissions or explicitly bound those capabilities. This matters because users and hosting platforms cannot accurately evaluate or constrain what the skill may do, increasing the chance of unexpected file access or outbound communication. In this context the capabilities are aligned with the stated monitoring function, so the issue is transparency and control rather than obvious malicious behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill claims to monitor admissions notices and generate reports, but the documentation also indicates it writes Word documents to local storage, including temporary paths, without clearly surfacing that behavior in the top-level purpose or trust boundary. That mismatch can mislead users or reviewers about persistence and data handling, which is risky when content may include scraped information or user-selected targets. The skill context makes this somewhat less severe because report generation is related to the feature set, but the undocumented storage behavior still creates avoidable risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that generated Word files are sent directly through QQ and then deleted, but it does not provide a clear warning, consent flow, or privacy notice about transmission to an external service. Automatic file transmission can expose report contents, recipient metadata, or operational details to unintended parties, especially if the report includes scraped content, institution selections, or timestamps. The skill context makes this more dangerous because the transmission is presented as a routine post-processing step rather than a high-sensitivity action requiring explicit approval.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The FAQ normalizes cron-based scheduling and automatic saving without clearly warning that these actions create persistence and write files on the host system. In an agent skill context, describing such behavior as something the AI will 'help configure' can lead users to authorize system modifications without understanding the security and operational consequences.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal