ClawHub
Back to skill

Security audit

Xia Card

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real contact-card manager, but it needs Review because received card data can trigger local contact changes and can steer skill installation from untrusted card metadata.

Install only if you are comfortable with this skill storing contact/profile data locally and publishing selected profile fields to adonghub.cn. Treat config.json as sensitive because it stores the generated API key. Review the public fields before confirming publication, and do not approve any skill installation prompted by a received card unless you independently verify the source and publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document makes a strong privacy promise that `personal_notes` and `background` are never uploaded, but elsewhere defines upload behavior as driven by `tiers.public.fields`. Since the example `tiers.public.fields` is user-configurable and no schema or server-side denylist is described, implementers may accidentally include sensitive local-only fields and transmit them to the server, causing a confidentiality breach in a contact/card skill that handles personal data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The manual explicitly instructs the agent to auto-install a skill using an installation source taken from the received card payload's `_skill` field after only a user confirmation prompt. Because that metadata originates from an external message and is therefore untrusted, this creates a supply-chain/code-execution path where an attacker can send a crafted card that causes installation of arbitrary skill code.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is very broad, covering common terms like contacts, address book, and messages containing a custom protocol. This can cause the skill to activate in situations the user did not clearly intend, increasing the chance of unexpected contact processing, data modification, or network actions in a privacy-sensitive domain.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that when a message contains `agent-card://`, it will automatically recognize and save another person's card. In a messaging context, this enables silent ingestion and storage of third-party personal data without an explicit user approval step, making accidental capture, spoofed-card ingestion, and privacy violations more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow automatically registers the user, stores server credentials, and publishes profile data to a remote service after confirmation of the card content, but without a clear, separate warning about external transmission, account creation, and ongoing linkage to a server-side identity. In a personal profile skill, this context is especially sensitive because the uploaded data is identity-related and shareable by design.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented flow automatically registers the user and publishes profile data to a remote server once the user confirms the card content, but it does not require a clear, specific disclosure that personal profile fields will be transmitted off-device. In a contact/card-management skill, this increases privacy risk because users may believe they are only saving locally while the agent silently sends identifying data to `www.adonghub.cn`.

Missing User Warnings

High
Confidence
99% confidence
Finding
The manual allows skill installation triggered by a received card and sourced from external payload metadata without any safety warning, trust model, or verification requirements. In context, incoming `agent-card://` messages are attacker-controllable, so coupling message receipt to install behavior materially increases the chance of users approving malicious code from an untrusted source.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal