ClawHub

bark-push

Security checks across malware telemetry and agentic risk

Overview

This Bark notification skill mostly does what it claims, but it quietly searches a parent USER.md file for a Bark key, which is broader than users are told.

Review before installing. Prefer a version that removes the ../../USER.md fallback and requires an explicit Bark key through documented configuration. Use only if you are comfortable with notification text and your Bark key being sent to api.day.app, and rotate the key if it was stored in a shared or logged USER.md file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares no permissions while its documented behavior depends on accessing the BARK_KEY environment variable. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess that the skill consumes sensitive runtime secrets, which can lead to unintended credential exposure or unsafe deployment assumptions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose says the skill follows the LobeHub notification format, but the analyzed behavior reportedly also reads local USER.md and accesses BARK_KEY, while only supporting a simple CLI interface. This mismatch is dangerous because it hides data access and actual runtime behavior from users, undermining informed consent and making secret/file access appear outside the advertised scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill accesses sensitive credentials from both environment variables and a local USER.md file without this behavior being clearly declared by the skill’s stated purpose. In an agent skill context, undocumented credential discovery expands the trust boundary and can normalize secret harvesting from unrelated local sources, which is risky even if the secret is only used for Bark delivery.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code performs undocumented local file access to ../../USER.md to extract a credential, which is broader than expected for a simple push-notification skill. Relative-path reads outside the skill directory are especially concerning because they can access user-maintained files that may contain unrelated secrets, creating a pattern of covert local data access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation instructs use of the BARK_KEY environment variable without warning that it is a credential and may be sent to an external push service. Users may supply secrets without understanding storage, logging, transport, or rotation implications, increasing the chance of credential leakage or misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill reads a credential from sensitive sources without any explicit warning, prompt, or consent flow informing the user that secrets will be accessed. In an agent ecosystem, silent secret access is dangerous because users may invoke the skill for notification delivery without realizing it will inspect environment variables or local files for credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal