ClawHub

115 Publish

Security checks across malware telemetry and agentic risk

Overview

This is a real 115 cloud-drive management skill, but it stores reusable account cookies and can make broad account-side file changes without enough confirmation or scoping.

Review carefully before installing on an important 115 account. Treat QR login as granting the skill a reusable local session, avoid automatic organization on broad folders, back up or test with a small directory first, and prefer a version that adds preview/confirmation for bulk moves, clearer cookie retention/logout controls, and normal TLS verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The Axios client is configured with an HTTPS agent that sets rejectUnauthorized to false, which disables TLS certificate validation for requests to 115.com. This enables man-in-the-middle interception or tampering of QR login traffic, including login status responses and session cookies, which is especially dangerous in an authentication module handling account access.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
validateSession() only checks local cookie expiry metadata and returns valid even if the cookie has been revoked, tampered with, or rejected by the server. If callers rely on this method for authentication or authorization decisions, they may treat an invalid session as trusted and perform sensitive actions with stale or unauthorized state.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase “下载 xxx” is broad enough to overlap with ordinary user requests about downloading or obtaining content, which can cause the skill to invoke offline-download behavior when the user did not intend to operate on their 115 account. In this skill, offline download creates persistent account-side tasks, so ambiguous invocation can lead to unintended network use, storage consumption, and potentially risky content acquisition.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The offline download feature documents how to add magnet/HTTP tasks but does not clearly warn users about the downstream effects such as consuming account storage, initiating remote retrieval of potentially sensitive or infringing material, and leaving persistent tasks in the account. Because this skill is user-invocable and supports high-impact account actions, weak warning language increases the chance of uninformed or accidental misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The organize flow can immediately invoke autoOrganizeByType('0', '/已整理') when the user's message contains '自动' or '智能', causing bulk move/write operations on cloud files without a confirmation step, preview, or rollback. In a file-management skill, unintended reorganization can disrupt user data layout, workflows, and downstream automations even if it does not delete content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code extracts authenticated session cookies after QR-based login and returns them as a structured object. These values (uid/cid/seid/kid) appear sufficient to represent a live authenticated session, so exposing and handling them without any visible consent flow, minimization, or protection increases the risk of session theft or unintended account access if callers log, leak, or reuse them insecurely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
After detecting successful login, the code automatically saves the harvested authentication cookies to persistent storage via cookieStore.save(status.cookie). Persisting reusable session material without explicit user approval, retention controls, or storage safeguards can enable account compromise if the host, logs, or storage backend are accessed by another party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
On successful QR login, the code persists UID/CID/SE authentication cookies with a 90-day expiry via cookieStore.save() and does not show any user-consent, minimization, or protection logic in this file. These cookies appear to be bearer-style session secrets, so local disclosure or insecure storage would allow account takeover for the associated 115 session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module stores raw userInput and assistantOutput in memory and exposes them through retrieval, formatting, and export functions without redaction, minimization, or consent controls. In a history-management context, this can leak sensitive prompts, credentials, personal data, or confidential content to anyone who can access history or exported output.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The download path writes remotely supplied content directly to an arbitrary caller-provided local path without validating the destination or constraining where files may be stored. If an untrusted input can influence savePath, this can overwrite local files or place attacker-controlled content in sensitive locations, increasing the risk of file clobbering or persistence.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The natural-language parser maps broad prefixes like '删除' directly to destructive commands and returns actionable command objects without any built-in safeguard, friction, or confirmation marker. In a skill-driven system, this increases the chance of accidental deletion or unintended file operations from ambiguous or conversational input, especially if downstream code executes parsed commands automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
extendSession() extends the session solely by rewriting the local cookie expiration timestamp, without validating the session with the server or enforcing bounds on durationMs. If other parts of the application trust this local expiry, an attacker or buggy caller could artificially prolong access to a stale or revoked session and bypass intended expiration controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal