ClawHub

한국 법령/판례 검색

Security checks across malware telemetry and agentic risk

Overview

This legal-search skill has a legitimate purpose, but its scripts expose users to local code-execution and credential-leak risks that warrant Review before installation.

Review or patch the scripts before installing. At minimum, pass user input to Python through argv or stdin instead of embedding it in python3 -c source, use HTTPS where supported, avoid placing API keys in URLs, lock credential files to the owner, and treat optional Notion/Telegram/search features as opt-in only for non-sensitive legal queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares connector-backed network and shell-driven scripts but does not explicitly declare the permissions/capabilities required to use them. This creates a transparency and governance gap: users or hosting platforms may not realize the skill can make outbound requests and invoke shell scripts, which increases the chance of unexpected execution or misuse.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documented scope exceeds the stated manifest purpose by including Notion persistence, Telegram notifications, and supplementary web search, none of which are part of a narrow law/case lookup function. Scope drift like this is dangerous because it can enable hidden data egress or secondary actions beyond what users expect when invoking a legal search skill.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Saving legal search results to Notion and sending alerts via Telegram are not necessary for the core purpose of statute/case retrieval, and they introduce additional exfiltration paths for potentially sensitive user legal questions. In legal-assistance contexts, even seemingly routine queries may contain private or high-stakes information, making unjustified persistence and messaging more risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently reads a local API key and transmits it in an outbound request without any disclosure to the user. Because the request uses a URL query string, the credential may also be exposed through shell history, process listings, proxy logs, or network monitoring, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script performs the API call over plain HTTP, allowing anyone on the network path to observe or tamper with the response and to steal the API key included in the request. This is especially dangerous here because both the credential and user query are transmitted in cleartext.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends the API key over plain HTTP in the query string, exposing it to interception by network attackers and to leakage via intermediary logs, proxies, or monitoring systems. Because the key is a bearer credential, anyone who captures it may be able to use the government API as the user or exhaust the user's quota.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends both the user's query and the API key over plain HTTP, not HTTPS. This allows network attackers on the path to intercept or modify the search query, harvest the API credential, or tamper with the XML response returned to the script.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script sends both the user's legal query and the API key in a request URL over plain HTTP, allowing interception or modification by a network attacker. Because the credential is placed in the URL, it may also leak via logs, proxies, browser/history equivalents, or process inspection in surrounding tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal