ClawHub

sync-doc-to-lab

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated report-sync purpose, but it also automatically creates anonymous report preview links and uses broad triggers for persistent sync actions.

Install only if you intend the agent to write reports into your personal_lab workspace and call the local lab service. Review the hardcoded app key and localhost endpoints, and avoid using the default share-link flow for sensitive reports unless you are comfortable with anonymous token-based access for the stated expiration period.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill's stated purpose is syncing reports into a local knowledge base, but it also adds a capability to generate anonymous share links for reports. That expands the data exposure surface beyond ingestion and could allow report contents to be accessed by anyone possessing the tokenized URL, especially if users are not explicitly warned or did not request sharing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code directly implements anonymous sharing through /api/reports/{report_id}/share using a static app key, even though report synchronization does not require public or semi-public distribution. This creates an unnecessary disclosure mechanism that could leak potentially sensitive report content if links are exposed, logged, or generated automatically without informed approval.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase includes the very broad term '同步', which is likely to collide with ordinary conversation and accidentally invoke a skill that performs file writes and network API calls. In this context, accidental activation is security-relevant because the skill can transmit data externally and modify the local knowledge base without a narrowly scoped invocation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs identity lookup via an external API, writes files into a workspace, and triggers local ingestion, yet it does not clearly warn users about these side effects or the data movement involved. This lack of transparency increases the risk of unintended disclosure, unauthorized syncing, or user confusion about where content is stored and who can access it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs an agent to modify report files by adding sync markers and to send report-related data to a local HTTP service, but it provides no user-consent, disclosure, or trust-boundary warning. Even though the target is localhost, this still crosses a boundary to another service and can silently alter user content or expose sensitive report metadata/content to whatever is listening on 127.0.0.1:8000.

External Transmission

Medium
Category
Data Exfiltration
Content
def sync_reports(mode: str = "incremental") -> dict:
    """调用 /api/sync"""
    resp = requests.post(
        f"{API_BASE}/api/sync",
        json={"mode": mode},
        headers={"Content-Type": "application/json"},
Confidence
86% confidence
Finding
requests.post( f"{API_BASE}/api/sync", json=

External Transmission

Medium
Category
Data Exfiltration
Content
def compile_report(report_id: str, mode: str = "propose") -> dict:
    """调用 /api/wiki/compile"""
    resp = requests.post(
        f"{API_BASE}/api/wiki/compile",
        json={"report_id": report_id, "mode": mode},
        headers={"Content-Type": "application/json"},
Confidence
84% confidence
Finding
requests.post( f"{API_BASE}/api/wiki/compile", json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal