ClawHub

照妖镜 Magic Mirror

Security checks across malware telemetry and agentic risk

Overview

This is a real social-media self-analysis skill, but it under-discloses how much logged-in private activity it can collect and store.

Install only if you are comfortable letting an agent inspect logged-in social accounts, including likes, favorites, saves, follows, comments, and history. Use a separate browser profile, approve each platform and data category explicitly, avoid automatic unpinned dependency downloads, and delete mirror-reports after use if you do not want raw data retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (56)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill tells users it will only view public profile information, but the later workflow explicitly collects likes, favorites, and other preference signals available only in a logged-in context. That is a direct mismatch between disclosure and actual behavior, which undermines informed consent and can lead users to expose much more sensitive data than they were led to expect.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
Although the boundary section says not to infer sexual orientation or similar sensitive traits, the workflow is built around extracting 'hidden truths' from private preference data and turning them into sharable contradictions. In practice, that analysis pattern can still surface or strongly imply protected or intimate attributes even if the text says not to, especially when combining multiple platforms and private engagement history.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest frames the skill as collecting public social-media data for entertainment, but the instructions direct collection of logged-in preference data and persistence of raw harvested account data. This gap is dangerous because it misrepresents both the scope of access and the retention of sensitive behavioral data, defeating meaningful user consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs the agent to automatically clone or download and unzip a dependency from GitHub at runtime. That expands the trust boundary to remote code and content acquisition unrelated to the user's immediate request, creating supply-chain and arbitrary-content risks if the repository is compromised, changed, or spoofed.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs inspection of local config files such as .mcp.json and config/mcporter.json to discover browser automation connectivity. For an entertainment profiling skill, probing local configuration broadens access beyond user-provided social data and may expose unrelated system details, tokens, or infrastructure metadata.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to collect the current logged-in user's Bilibili profile, but it also harvests information about other accounts in the user's follow list. That expands collection beyond the user's own data and creates unnecessary third-party data exposure, especially because those followed accounts are not the direct subject of the requested analysis.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The parent skill is framed as generating a self-awareness report from social media presence, but this sub-skill performs bulk extraction of full favorites contents and the user's social graph. Favorites and follow relationships are sensitive behavioral data, and collecting them in full is disproportionate to the stated purpose, increasing privacy risk and the chance of misuse or over-retention.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill does not merely collect catalog metadata; it explicitly extracts users' free-text comments, tags, ratings, dates, and links from authenticated pages for downstream profiling. Those comments can reveal opinions, emotions, health, politics, relationships, or other sensitive inferences, so treating them as ordinary profile fields understates the privacy risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The section stating that detailed fields are required for '画像分析' shows the implementation is designed for behavioral/psychological profiling rather than simple export of profile data. This increases sensitivity because ratings, dates, tags, and comments are being preserved specifically to infer personal traits, which materially expands privacy impact beyond the headline description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The implementation returns `document.body.innerText` from the logged-in user's self page, which can include substantially more information than the documented profile fields and works list. This creates an overcollection risk because any visible sensitive account data on the page is swept into the result without field-level minimization or filtering.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The likes step also returns full page text rather than only liked video titles and play counts. Since likes can reveal sensitive preferences and behavior, scraping the entire rendered page broadens disclosure beyond the stated purpose and increases privacy harm.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The favorites collection is described as a narrow extraction, but the documented implementation pattern indicates another broad page scrape. Favorites often expose especially sensitive interests, so full-page capture materially increases the privacy and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill collects the logged-in user's follow list and favorites, which goes beyond the parent skill's stated purpose of generating social-profile insights from public-facing signals. This creates unnecessary access to more sensitive behavioral data than is needed, increasing privacy risk and violating data-minimization principles.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The favorites list is especially sensitive because it reveals private preferences, interests, and reading/viewing history that may not be obvious from public posting behavior. Collecting it without a clear necessity for the promised self-discovery report constitutes over-collection and raises meaningful privacy and profiling risks.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill description claims collection of public social-media data, but the workflow explicitly uses the currently logged-in Douban session, follows /mine/ redirects, and performs authenticated fetches with credentials included to harvest full profile, activity, and history data. That mismatch is dangerous because it can cause users to authorize what they believe is public-data analysis while the code actually accesses non-public or account-scoped data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The workflow goes far beyond the skill's stated purpose of scanning public social-media profiles for a fun self-awareness report. It explicitly navigates to the authenticated self profile and extracts likes, favorites, and a full following list, which are sensitive account-level data categories that may be non-public and exceed reasonable user expectations for this feature.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This workflow relies on an existing logged-in browser session to scrape private or semi-private Douyin account sections, including likes, favorites, and the full following panel. Using authenticated access to harvest data unrelated to the lightweight entertainment purpose creates a serious privacy overreach and increases the chance of unauthorized collection, profiling, and downstream misuse.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The workflow explicitly states it collects the user's full Weibo profile information including favorites, even though the skill description frames the capability as analysis of public social-media profiles. Favorites are typically more sensitive than public posts because they reveal private interests and behavioral signals not necessary for the stated purpose, creating unnecessary overcollection.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Steps 7-8 navigate to the favorites page and scrape saved posts, which goes beyond the declared purpose of public-profile self-discovery. This creates a privacy risk because saved/favorited content can expose sensitive preferences, affiliations, or personal traits and may not be expected to be processed by the user under a 'public profile' analysis feature.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The workflow explicitly collects favorites and liked-post histories in addition to profile basics and posted notes, despite the skill description framing the product as analysis of public social media data. Favorites and likes are sensitive behavioral data, and collecting them at full depth materially exceeds data minimization and user-expectation boundaries, enabling invasive profiling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Injecting an XHR interceptor to capture underlying API responses is a powerful surveillance technique that bypasses normal UI-level boundaries and harvests data not otherwise exposed in the visible page. In this skill context, that capability is unrelated to a lightweight entertainment/profile-analysis use case and significantly increases the risk of unauthorized collection of sensitive account activity.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The workflow behavior diverges from the skill's declared 'public data' scope by extracting full favorites and likes datasets via intercepted API traffic across multiple steps. This mismatch is dangerous because users and platform operators may reasonably expect only public-profile scraping, while the implementation performs deeper behavioral surveillance that can reveal private interests and patterns.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill materially exceeds a reasonable social-profile analysis scope by harvesting the currently logged-in user's full favorites and likes, which are typically more sensitive than public posts because they reveal preferences, interests, and behavioral history. It also does so at scale and by design, making it a privacy-invasive overcollection issue rather than a narrowly tailored data-access feature.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs monkey-patching XMLHttpRequest to intercept private API responses, which is a stealthy capability that bypasses normal UI boundaries and captures network data not needed for a typical profile-insight feature. This elevates risk because it can silently extract account-specific data and could be repurposed to capture additional sensitive responses beyond the intended endpoints.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Although framed as collecting the current user's homepage data, the extraction of favorite/liked notes also captures associated author metadata for other users, expanding collection to third-party personal data without notice. This is dangerous because it broadens privacy exposure and creates downstream data-processing obligations the skill does not acknowledge.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal