ClawHub

导师 Mentor

Security checks across malware telemetry and agentic risk

Overview

The skill advertises public-figure mentor generation, but it also bundles modules that can scrape sensitive personal social-media data from the currently logged-in user.

Review carefully before installing. Only use it if you are comfortable granting browser automation and local file access, and avoid running the bundled deep-profile collectors while logged into personal social accounts unless you intentionally want those histories collected locally. Require explicit approval before GitHub downloads, shell commands, MCP credential use, or authenticated scraping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (55)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"method": "tools/call",
        "params": {"name": "fetch_api", "arguments": {"url": url, "method": "GET"}}
    })
    r = subprocess.run([
        "curl", "-s", "--max-time", "15", "-X", "POST", mcp_endpoint,
        "-H", f"Authorization: Bearer {api_key}",
        "-H", "Content-Type: application/json",
Confidence
93% confidence
Finding
r = subprocess.run([ "curl", "-s", "--max-time", "15", "-X", "POST", mcp_endpoint, "-H", f"Authorization: Bearer {api_key}", "-H", "Content-Type: application/json",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sub_url = "https:" + subs[0]['subtitle_url']

    # Step 3: 下载字幕
    dl = subprocess.run(["curl", "-sL", sub_url], capture_output=True, text=True, timeout=15)
    try:
        sub_data = json.loads(dl.stdout)
        lines = [item['content'] for item in sub_data['body']]
Confidence
95% confidence
Finding
dl = subprocess.run(["curl", "-sL", sub_url], capture_output=True, text=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
m = re.search(r'(https://deepmining[^\s"]*\.(json|html))', r.stdout)
    if m:
        dl = subprocess.run(["curl", "-sL", m.group(1)], capture_output=True, text=True, timeout=10)
        try:
            return json.loads(dl.stdout)
        except:
Confidence
94% confidence
Finding
dl = subprocess.run(["curl", "-sL", m.group(1)], capture_output=True, text=True, timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
mp3_file = os.path.join(output_dir, f"{video_id}.mp3")

    # 下载视频
    subprocess.run([
        "curl", "-sL", video_url, "-o", mp4_file,
        "-H", "Referer: https://www.douyin.com/",
        "-H", "User-Agent: Mozilla/5.0"
Confidence
91% confidence
Finding
subprocess.run([ "curl", "-sL", video_url, "-o", mp4_file, "-H", "Referer: https://www.douyin.com/", "-H", "User-Agent: Mozilla/5.0" ], capture_output=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"id": video_id, "status": "download_failed", "size": size}

    # ffmpeg提取音频
    subprocess.run([
        "ffmpeg", "-i", mp4_file, "-vn", "-acodec", "libmp3lame", "-q:a", "4", mp3_file, "-y"
    ], capture_output=True, timeout=30)
Confidence
88% confidence
Finding
subprocess.run([ "ffmpeg", "-i", mp4_file, "-vn", "-acodec", "libmp3lame", "-q:a", "4", mp3_file, "-y" ], capture_output=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
m = re.search(r'(https://deepmining[^\s"]*\.(json|html))', r.stdout)
    if m:
        dl = subprocess.run(["curl", "-sL", m.group(1)], capture_output=True, text=True, timeout=10)
        try:
            return json.loads(dl.stdout)
        except:
Confidence
95% confidence
Finding
dl = subprocess.run(["curl", "-sL", m.group(1)], capture_output=True, text=True, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions, yet it instructs the agent to read files, write local artifacts, and execute shell commands. This creates a misleading trust boundary: users and the host may assume a low-risk skill, while the actual behavior can modify the environment and access local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior promises simple mentor generation from a person's name, but the actual workflow includes broader browser automation, environment inspection, installation steps, and tooling that does not cleanly match that promise. This mismatch can cause users to approve the skill under false assumptions, enabling actions they did not reasonably expect.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill tells the agent to automatically clone or download and unzip code from GitHub into the local workspace. Pulling remote code into a user's environment without strong verification or explicit approval introduces supply-chain risk and can lead to execution of untrusted content or persistent local modification.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs the agent to inspect local configuration files such as .mcp.json and config/mcporter.json to discover browser/MCP connectivity. Reading local config broadens access beyond the core mentor-generation task and may expose sensitive endpoints, tokens, or environment details to the skill workflow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill’s stated purpose in the broader manifest is to model public figures as mentors, but this file instead targets the currently logged-in Bilibili user and harvests their account data. That mismatch is dangerous because it disguises personal-account surveillance as a benign content-collection workflow, increasing the chance of covert data collection without informed consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill collects favorites, followings, and full account metadata from the authenticated user, none of which are necessary for generating a mentor persona from a public figure. These data categories reveal behavioral preferences, social graph, and account characteristics, making the skill a privacy-invasive overcollection mechanism under misleading framing.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This skill is materially unrelated to the parent skill's stated purpose of modeling public figures. Instead, it targets the currently logged-in Douban user and performs authenticated collection of that user's profile, media history, ratings, comments, tags, and statuses, enabling detailed personal profiling from a private session.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The declared collection scope understates the actual data harvested. The scripts also extract comments, tags, ratings, publication metadata, and status text, which are richer behavioral signals than the summary suggests and increase the privacy and profiling risk to the logged-in user.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill’s core behavior is to harvest the currently logged-in Douyin user’s account data, including private activity, while the parent skill is described as generating a mentor persona from a named public figure’s public content. That mismatch is a strong indicator of covert data collection functionality embedded under an unrelated cover story, which materially increases the likelihood of unauthorized surveillance or data exfiltration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Collecting likes, favorites, and the full following list is not necessary to synthesize a public figure’s communication style or thinking framework from public materials. These categories reveal sensitive preference and relationship data about the logged-in account owner, creating clear privacy harm and enabling profiling beyond the declared purpose.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file explicitly frames itself as a know-your-owner Douyin data collection module, which directly contradicts the parent skill’s public-figure mentor use case. This inconsistency suggests the skill may be smuggling a separate owner-profiling capability into a benign-seeming package, increasing the risk of deceptive deployment and unauthorized collection.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This skill materially exceeds the stated mentor use case by targeting the currently logged-in Xiaohongshu account and collecting full profile data plus private engagement history. That creates an unjustified privilege expansion from public-figure content gathering into sensitive account scraping, enabling exposure of personal interests, habits, and private metadata.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill deliberately intercepts XHR traffic to harvest favorites and liked content available only within the logged-in session context. This is dangerous because it captures private behavioral data not needed for mentor-style generation and normalizes session-bound network interception as a collection mechanism.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Returning document.body.innerText captures all visible profile-page text, which can include personal profile attributes far beyond what is required to model a public figure's communication style. This broad extraction increases the risk of over-collecting sensitive or irrelevant information and exposing it downstream.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation explicitly states the skill collects the current logged-in user's personal homepage data, which contradicts the parent skill's public-figure mentoring purpose. This mismatch is dangerous because it hides a sensitive data collection workflow behind a broader, seemingly benign feature description.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The recommendation conditions are very broad (e.g., any request resembling 'what would X do'), which can cause an agent to suggest or activate this skill in many ordinary advice-seeking contexts without clear user intent. In this skill, that matters because activation leads to collecting and synthesizing a public figure's content, potentially steering users into persona-simulated advice they did not explicitly request.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The example invocation ('把罗永浩变成我的导师') is user-facing and open-ended, without guardrails on consent, scope, or suitability of the target. That can normalize unconstrained cloning/persona generation and make downstream agents treat vague mentions of a public figure as sufficient authorization to start scraping and building an imitation-oriented profile.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill omits an upfront warning that it may download software from GitHub and create files locally. Hidden environment changes reduce informed consent and increase the chance that users will trigger filesystem and network actions they did not intend to authorize.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The workflow collects and persists large amounts of third-party social-media content into local files without a strong upfront disclosure. This raises privacy, copyright, and data-handling concerns, especially if the user does not realize that raw datasets and derived persona files will be stored on disk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal