ClawHub

Check User Fraud

Security checks across malware telemetry and agentic risk

Overview

This fraud-analysis skill exposes reusable database credentials and can retrieve broad personal, login, device, IP, account-status, and financial data beyond a tightly scoped fraud check.

Do not install or run this unless you are explicitly authorized to access the referenced database and handle the sensitive records it exposes. Rotate the embedded database password, remove secrets from the skill and history, replace them with scoped read-only credentials, and add role checks, case justification, audit logging, and default redaction before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (39)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README describes capabilities that go beyond the stated skill purpose of checking whether a single user is engaging in fraud, including broader investigation workflows and multi-entity analysis. This scope expansion increases the chance of misuse, over-collection, and unauthorized investigation of unrelated users without clear necessity or guardrails.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill documents access to highly sensitive identity and account-status data such as real name, ID number, blacklist/frozen status, and balances, which are not clearly necessary for the described fraud-check function. Exposing or querying such data without strict purpose limitation creates significant privacy, compliance, and insider-misuse risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The README explicitly supports enumerating multiple users associated with a shared IP, extending the tool from checking one user's fraud indicators to broader network mapping. This increases surveillance capability and can be abused for bulk deanonymization or fishing expeditions beyond the original use case.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation claims sensitive identifiers are masked, but the listed outputs and SQL show raw fields such as mobile, Alipay account, true name, and ID number sources. This mismatch can mislead operators into believing the tool is privacy-safe while it actually enables direct exposure of sensitive personal data.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The README states queries default to recent 7/30 day windows, but many documented SQL statements lack corresponding time filters. This inconsistency can lead to collection of more historical data than operators expect, increasing privacy exposure and the blast radius of misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill file exposes what appear to be live MySQL connection credentials, including host, username, and password. Hardcoded production credentials in documentation are extremely dangerous because anyone with access to the skill can directly connect to the database, potentially exfiltrate sensitive data, alter records, or pivot further into the environment.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The SQL file goes beyond the declared purpose of fraud-behavior analysis and includes queries for recharge history, publisher billing, blacklist state, freeze state, and account balances. This expands access to sensitive financial and account-control data without clear need-to-know, increasing the risk of privacy violations, misuse, or unauthorized profiling if the skill is invoked broadly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The mobile-number lookup enables identity resolution from a phone number to internal user records, including true name and registration time, which is not necessary for the stated fraud-analysis function. This creates unnecessary exposure of personally identifiable information and can support deanonymization or user enumeration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill queries punitive and account-control state such as mutes, task bans, recharge bans, frozen-account markers, and balances, which are outside the described fraud-pattern analysis scope. Access to these administrative and financial controls can reveal sensitive enforcement history and account status, enabling misuse or overcollection beyond the user's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script returns raw IP addresses, device IDs, publisher identifiers, and detailed location data in its output, even though these operational identifiers are not strictly necessary to determine whether a user shows fraud patterns. Exposing this data increases privacy risk, enables downstream tracking or deanonymization, and expands the blast radius if the skill output is logged, shared, or shown to unauthorized users.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script goes beyond checking a target user's fraud behavior and retrieves/returns publisher account transaction details, including spending metadata and payment times. This expands access to unrelated sensitive financial/business data and violates data-minimization principles, increasing the risk of privacy leakage and misuse if the tool is broadly accessible.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script’s declared skill purpose is fraud/shuadan analysis, but the implementation retrieves broad profile, identity, invitation, and membership data unrelated to a minimally scoped fraud check. This creates unnecessary access to sensitive personal data and expands the blast radius if the tool is misused or exposed.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The SQL query fetches sensitive attributes including mobile number, Alipay account, government ID number, and real-name information, none of which are clearly necessary for the stated fraud-detection use case. Exposing these fields increases privacy risk, enables identity abuse, and violates data minimization principles.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module and function documentation describe querying detailed user information rather than performing fraud analysis, which conflicts with the manifest and indicates the skill may be serving a different purpose than disclosed. This kind of capability mismatch is dangerous because it can hide over-collection and make reviewers or users trust a tool that actually performs broader surveillance.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script's implemented behavior materially exceeds the stated fraud-analysis purpose by retrieving and outputting recent login history, IP addresses, device identifiers, and geolocation details. This creates unnecessary access to sensitive personal data and can enable user tracking or surveillance if the skill is invoked under the pretense of fraud checking.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code provides login-activity and location-intelligence functionality that is not clearly necessary for the advertised fraud/shuadan analysis workflow. Even if not overtly malicious, this capability expansion increases privacy risk and the chance of misuse because operators can inspect sensitive behavioral data unrelated to the declared task.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The module documentation explicitly states that the script queries recent user login records, contradicting the skill metadata claiming fraud/shuadan analysis. This mismatch is dangerous because it can disguise a sensitive data-access tool as a different business function, undermining informed review, consent, and least-privilege controls.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script collects and returns IP addresses and device IDs, which are sensitive identifiers that can expose user activity and enable correlation or tracking beyond the minimum data needed. In the skill context, the stated purpose is fraud checking, but there is no access control, minimization, masking, or justification in code for disclosing these fields to whoever runs the script.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script does not implement the narrowly described fraud/shuadan analysis; instead it retrieves and prints raw APP visit logs containing device IDs, IP addresses, channels, and other telemetry. That over-collection and disclosure materially expands data exposure beyond the declared purpose, creating a privacy and misuse risk if the skill is invoked for routine fraud checks.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The query and formatter expose detailed visit telemetry, including IP, device ID, channel, app version, and timestamps, even though the stated purpose is fraud analysis rather than log export. In a security-sensitive skill context, this is dangerous because it enables unnecessary access to personal and operational data that could be abused for tracking, profiling, or secondary use.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script returns and prints sensitive personal data including mobile numbers and real names for every account seen on an IP address, enabling bulk PII enumeration. In the context of an agent skill, this is especially dangerous because a single IP lookup can expose unrelated users’ identities far beyond what is needed for fraud detection.

Missing User Warnings

High
Confidence
93% confidence
Finding
The README documents retrieval of highly sensitive personal data without any prominent warning about authorization, privacy obligations, retention limits, or approved-use constraints. In a fraud-analysis context, this omission makes misuse more likely because investigators are encouraged to access rich personal data without clear governance boundaries.

Missing User Warnings

Critical
Confidence
99% confidence
Finding
The README contains a plaintext production-style database host, username, and password. Exposed credentials can enable direct unauthorized database access, bulk data exfiltration, tampering, and persistence, making this the most severe issue in the file.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation not only reveals live database credentials but actively instructs users to access production infrastructure, without clear safety controls, approvals, or warnings about handling sensitive data. This materially increases the chance of unauthorized database use, accidental disclosure, and unsafe querying against live records.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script hardcodes live MySQL host, username, password, and database details directly in source code. If the repository, logs, or packaged skill are exposed, an attacker could reuse these credentials to access sensitive production data, and the script also processes user registration and referral information without any access-control, secret-management, or disclosure safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal