ClawHub
Back to skill

Security audit

推送消息数据助手(友盟U-Push)

Security checks across malware telemetry and agentic risk

Overview

The skill is meant to query Umeng Push data, but it handles live login cookies and API access in ways that are broader and less controlled than its read-only description suggests.

Review before installing. Only use this in an isolated environment or with a low-privilege Umeng account if possible. Do not run the automatic cookie extraction script unless you intentionally want the skill to read your browser session cookie, avoid the custom request command, do not send cookies to non-Umeng URLs, and clear both cookie.txt and cookie.json after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (45)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("正在读取浏览器 Cookie...")
        
        js_code = "document.cookie"
        cookie_result = subprocess.run(
            ['mcp', 'tool', 'call', 'mcp__builtin_browser__evaluate',
             f'{{"expression": "{js_code}"}}'],
            capture_output=True,
Confidence
95% confidence
Finding
cookie_result = subprocess.run( ['mcp', 'tool', 'call', 'mcp__builtin_browser__evaluate', f'{{"expression": "{js_code}"}}'], capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() == 'Darwin':
            subprocess.run(['open', filepath], check=True)
        elif platform.system() == 'Windows':
            subprocess.run(['start', filepath], shell=True, check=True)
        else:
            subprocess.run(['xdg-open', filepath], check=True)
        print(f"\n\U0001f310 已在浏览器中打开报告")
Confidence
97% confidence
Finding
subprocess.run(['start', filepath], shell=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exercises sensitive capabilities including file read/write, network access, and shell execution, yet declares no explicit permissions boundary. That weakens reviewability and increases the chance that a supposedly read-only helper can exfiltrate credentials, persist secrets locally, or invoke unintended commands without clear user consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior conflicts with the claimed read-only, user-supplied-cookie scope: the finding indicates broader capabilities such as browser/MCP cookie acquisition, arbitrary/custom HTTP requests, hidden send-test functionality, and automatic local HTML generation/opening. Mismatch between stated and actual behavior is dangerous because users and reviewers may authorize a much more privileged tool than they intended.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The changelog explicitly documents a switch from user-supplied cookies to automated browser extraction, which materially expands the skill from read-only querying into credential harvesting behavior. In this context, automatically reading authentication cookies and persisting them locally creates a sensitive secret-collection flow that contradicts the manifest and increases the chance of unauthorized access, token reuse, and accidental disclosure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented capability to open a browser, run JavaScript, read document.cookie, validate it, and save it is not necessary for a read-only assistant that merely queries push data. Because cookies are bearer credentials for a logged-in session, this introduces credential-harvesting functionality that could be abused to access or act as the user outside the narrow stated purpose.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Saving the cookie to a local file extends the exposure window of a highly sensitive session secret beyond a single user request. Local plaintext persistence increases the risk of theft by other local processes, accidental inclusion in backups, logs, or version control, and misuse after the original user interaction has ended.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented change directly contradicts the skill metadata that says the user must provide the cookie, indicating undocumented capability expansion. Security-sensitive divergence between manifest and actual behavior is dangerous because users and reviewers may trust the narrower description while the skill performs broader credential access behind the scenes.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as a read-only helper, but the examples explicitly show how to invoke a custom POST request to the Umeng API, including a send endpoint. That creates a capability mismatch that can mislead users, reviewers, and higher-level agents into granting or using the skill in ways that permit state-changing actions such as sending pushes.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation repeatedly frames the skill as query-only, yet it instructs users to call a POST /api/send-style endpoint. In agent or tool-chaining contexts, this inconsistency is dangerous because a supposedly low-risk read-only skill can be used to perform operational actions against a production push platform.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README documents an automatic browser-cookie extraction flow that exceeds the stated requirement that the user manually provide a Cookie. Reading authenticated cookies from the user's browser grants the skill access to active session credentials and materially increases the chance of credential theft, misuse, or unintended access even if the advertised actions are read-only.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The README presents the skill as 'strictly' read-only while also documenting automation that harvests authentication cookies from the browser. This mismatch is dangerous because it can mislead users and reviewers about the actual trust boundary: possession of a valid session cookie and CSRF token may enable broader account actions if other controls fail or if the code later expands beyond read-only endpoints.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file advertises a read-only Umeng helper, but its documented usage includes send_test and a generic request path that can be used for state-changing operations. In a skill that asks users to provide a live authenticated Cookie, hidden or undocumented write capability materially increases the risk of unauthorized push actions or other account changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The custom request feature accepts an arbitrary URL and then automatically attaches the stored Umeng authentication Cookie and CSRF token in the outbound request. This can exfiltrate the user's session credentials to any attacker-controlled domain, which is especially dangerous because the skill explicitly instructs users to provide a privileged browser Cookie.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The function is presented as a real message-detail query, but inline comments state the endpoint is only an example and must be replaced. This mismatch can mislead users or downstream agents into trusting inaccurate behavior, causing requests to the wrong endpoint with real credentials and making unsafe debugging or workaround behavior more likely.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script automates retrieval of browser cookies and saves them locally, even though the skill description says the user should manually obtain and provide the Cookie. This discrepancy matters because it silently expands the trust boundary from read-only querying into credential harvesting and storage of active session secrets.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Using subprocess-driven MCP browser automation to navigate an authenticated session and extract cookies gives the skill a capability broader than its stated purpose of read-only backend queries. A helper that can pull browser session tokens can impersonate the user outside the browser and access account data far beyond what users may reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata says this helper is for read-only queries of app lists and push data, but this function also fetches vendor channel integration configuration. Even if the API call is read-only, it expands access to sensitive administrative configuration beyond the declared scope, increasing the chance of unintended disclosure when run with a user's authenticated cookie.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code prints vendor AppID/ClientID/AppSecret/ClientSecret values directly to stdout. That exposes sensitive configuration data to the terminal, logs, transcripts, or any surrounding agent tooling, which is materially beyond the stated purpose of querying push statistics and can leak credentials usable in other vendor systems.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Automatically launching local browser/application handlers is a capability escalation beyond simple querying and can have security consequences when combined with attacker-influenced filenames or HTML content. In this script, the danger is increased because the generated report embeds remote data and is opened automatically, creating a path from external data to local browser execution context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script stores a live authentication cookie to a local JSON file even though the skill is described as read-only query assistance. Persisting session cookies increases the exposure window for credential theft via local compromise, backups, accidental sharing, or reuse by other processes, and the cookie likely grants authenticated access to the Umeng console regardless of the skill's intended read-only use.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a true vulnerability because the interceptor defaults to allowing any URL not explicitly listed in a very small blacklist, which defeats the stated purpose of a security control. In a skill marketed as read-only and operating with user-supplied authenticated Umeng cookies, this allow-by-default behavior can permit unreviewed state-changing or sensitive endpoints to be called if they are not on the blacklist.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This is a true vulnerability because the code permits unspecified Umeng endpoints even though the skill description says it is a read-only query helper. Since the skill uses an authenticated Cookie from the user's Umeng session, allowing arbitrary unlisted endpoints creates a path to unauthorized writes, configuration changes, or other privileged actions inconsistent with the skill's declared trust boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document normalizes automatic reading and local storage of cookies without prominent warning that these are sensitive session credentials capable of authenticating as the user. Lack of clear consent and privacy/security messaging makes it more likely that operators will expose active sessions without understanding the consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to pass the full cookie string on the command line when saving it. Shell arguments are commonly exposed via shell history, process listings, terminal scrollback, and logs, so this guidance can leak active session credentials and enable account/session takeover.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.