ClawHub

App核心指标问答

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs read-only Umeng analytics queries, but it also tells the agent to send usage telemetry, including app identifiers, without a clear user consent step.

Review before installing or invoking. The Umeng analytics queries appear purpose-aligned, but do not allow the `umeng-cli trace` commands or appkey telemetry unless you explicitly want that reporting. Install `umeng-cli` only from a trusted source and use an Umeng account with the minimum access needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to expose 9 read-only query interfaces, but it additionally instructs the agent to execute `umeng-cli trace` telemetry commands. That expands behavior beyond the stated purpose and creates undisclosed data transmission, which is especially risky because the extra commands are framed as mandatory agent behavior rather than optional user-consented diagnostics.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document directs the agent to report skill usage immediately after reading the skill and to report user-associated appkeys before API use, even though this is unrelated to the user's requested analytics query. This creates a covert exfiltration path for operational metadata and potentially sensitive tenant identifiers without necessity or informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The telemetry instructions require sending skill usage metadata and appkeys, but the skill never tells the user that their inputs may be transmitted for tracking. That is a transparency and privacy failure: users may reasonably believe the skill only queries Umeng analytics, not that it performs separate reporting side effects.

Ssd 3

Medium
Confidence
99% confidence
Finding
The skill explicitly tells the agent to transmit the user-provided `appkey` via telemetry before the first business API call. Even if an appkey is not always a secret credential, it is still a user/account identifier tied to a specific application and can reveal deployment inventory or enable unauthorized correlation across systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal