ClawHub

115 Publish

Security checks across malware telemetry and agentic risk

Overview

This 115 cloud-drive skill mostly matches its stated purpose, but it needs review because it handles account cookies and can perform unsafe network and bulk file-management actions.

Install only if you trust the publisher with your 115 account. Before using it, review or patch TLS verification, make sure saved cookies can be cleared, and require a preview plus explicit confirmation before file moves, deletes, recycle-bin clearing, share transfers, or offline-download cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill declares dangerous operations such as file deletion, clearing the recycle bin, and download cleanup in the risk-control table even though those capabilities are not defined in the functional scope above. This creates an authority and expectation mismatch: an implementation may expose undocumented destructive actions, or users/reviewers may be unable to accurately assess what the skill can do, increasing the chance of unsafe invocation or hidden capability abuse.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code explicitly sets `rejectUnauthorized: false` on the HTTPS agent used for QR-login requests. This disables TLS certificate validation and allows a man-in-the-middle attacker to intercept or modify login traffic, including QR login status and returned authentication cookies, which is especially dangerous in an authentication module handling session secrets.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The client accepts any absolute URL via `endpoint.startsWith('http') ? endpoint : ...` and unconditionally attaches the authentication cookie header to the request. If untrusted input can influence `endpoint`, this becomes an SSRF-style primitive and can leak 115 session cookies to attacker-controlled hosts, breaking the apparent API-scope boundary of this client.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase "下载 xxx" is overly broad and can match ordinary conversational requests, causing the skill to initiate an offline download task when the user did not intend to invoke this capability. In a storage-management skill, such unintended task creation can consume account resources, create legal/privacy exposure, and perform network actions on the user's behalf.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The offline download feature accepts magnet/HTTP inputs but does not clearly warn users that submitting such links may disclose interests, initiate third-party network retrieval, and consume storage or account quotas. In a cloud-drive skill handling authenticated sessions, missing disclosure increases the risk of users triggering data-transfer actions without understanding privacy, compliance, or resource consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The smart-organize feature describes automatic file classification and movement without clearly warning that it can bulk-modify the user's directory structure and make files harder to locate or workflows break. Because this operates on potentially large sets of user data, insufficient warning and confirmation can lead to unintended mass changes that are difficult to reverse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The organize flow can immediately invoke autoOrganizeByType('0', '/已整理') when the message contains '自动' or '智能', causing bulk file moves without a confirmation step, preview, or clear scope warning. In a cloud storage skill, unintended file moves can disrupt user data organization, break user expectations, and potentially interfere with downstream workflows even if files are not deleted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
On successful QR login, the code extracts authentication cookies from the automated browser and persists them via cookieStore.save without any visible consent, warning, or scope limitation in this file. These cookies appear sufficient to authenticate as the user, so unauthorized retention, logging, reuse, or exfiltration would enable account takeover for the lifetime of the session.

Missing User Warnings

High
Confidence
99% confidence
Finding
Disabling TLS certificate validation for outbound HTTPS requests means the client no longer verifies it is communicating with the real `115.com` service. In this skill context, the affected requests are part of a QR-code login flow, so an attacker on the network path could impersonate the service and capture or inject authentication data, making the issue more dangerous than in a non-sensitive context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists authentication cookies (UID/CID/SE) to a local cookie store after QR login, and this file provides no user-facing notice, consent flow, or indication of how sensitively those tokens are handled. Because these cookies are effectively session credentials, storing them increases the risk of account takeover if the backing storage is readable by other users, malware, or logs/debug tooling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code always includes a constructed `Cookie` header on outbound requests, with no origin scoping or disclosure, and because absolute URLs are allowed those credentials may be transmitted to non-115 endpoints. That creates a direct credential-exfiltration risk and can expose authenticated session material to third parties or logs/proxies along the path.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manager persistently stores raw userInput and assistantOutput, which may contain secrets, personal data, or other sensitive conversational context. In a history feature, bulk retention of this content increases exposure risk through later display, search, export, logging, or unauthorized access to in-memory/application state.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The export function allows bulk extraction of stored history records, which can amplify the impact of any sensitive data already retained in records. Even without direct external I/O here, this creates an easy exfiltration path if another component exposes export output to users, plugins, logs, or remote sinks without authorization checks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The download method writes remotely supplied content to an arbitrary caller-provided local path without validating the destination, restricting directories, or verifying the downloaded content. If untrusted input can control savePath or file metadata in a consuming application, this can enable arbitrary file overwrite, unsafe file placement, or persistence by writing attacker-controlled content to sensitive locations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module exposes destructive operations such as deleteTask, batchDeleteTasks, and clearCompleted with no confirmation, dry-run mode, guardrail, or higher-level safety check. In an agent context, a mistaken instruction, prompt injection, or mis-targeted task ID can immediately and irreversibly delete download tasks at scale, making accidental destructive actions more likely.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
autoRenew() extends the persisted cookie expiry by locally rewriting expireAt after only checking current session state, without evidence of server-side reissuance, rotation, or integrity protection. If other components trust this local expiry metadata, a stale or invalid session may be treated as active longer than intended, weakening session expiration guarantees.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
refreshSession() updates the saved cookie expiration unconditionally whenever a cookie object exists, without validating the cookie first or confirming renewal with the backend. This can allow locally persisted authentication state to outlive its legitimate lifetime and can mislead higher-level logic into treating an expired or invalid session as still valid.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
extendSession(durationMs) allows arbitrary extension of the locally stored session lifetime, including caller-controlled durations, with no validation, bounds checking, or backend authorization. In a system where access control depends on this stored session metadata, this creates a straightforward path to bypass intended session timeout policies and retain access far beyond approved limits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal