ClawHub

Tdl Download Notify

Security checks across malware telemetry and agentic risk

Overview

This skill does its stated Telegram download-and-notify job, but it uses a bundled Server Chan key that can send private download details to an account the installer may not control.

Review before installing. Replace the hardcoded Server Chan SendKey with your own secret, rotate or revoke the exposed key if it belongs to you, use a dedicated download directory, and only run it when you are comfortable sending Telegram source links, filenames, sizes, timestamps, paths, and error messages to the configured Server Chan account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares runnable Bash/Python tooling with shell, file-read, and network capabilities, but does not explicitly declare permissions or user-facing safeguards for those actions. This increases the risk of unintended execution, data access, or outbound transmission without clear consent boundaries, especially because the skill downloads files and sends notifications externally.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation includes a concrete Server酱 SendKey, which appears to be a live credential or credential-like secret embedded in the skill. Exposing notification service credentials can allow unauthorized use of the account, spam, metadata exfiltration, or abuse of the associated messaging channel.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script contains a hard-coded Server酱 SENDKEY directly in source code. Embedded credentials can be extracted by anyone with access to the skill, enabling unauthorized use of the notification account and making secret rotation difficult.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough that an agent may auto-trigger this skill from natural-language requests without a strong confirmation boundary. Because the skill performs downloads and sends file/link metadata to an external service, ambiguous triggering can lead to unintended processing or disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description does not prominently warn that Telegram links, filenames, sizes, timestamps, and possibly directory paths will be sent to Server酱, an external notification service. This is a privacy and data-handling issue because users may reasonably expect local download automation, not third-party transmission of metadata.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill not only embeds a notification credential but uses it automatically without clear disclosure to the user. This creates an undisclosed outbound integration path and can cause users to unknowingly rely on or expose a third-party account they do not control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends downloaded file metadata, including filenames, sizes, timestamps, and source context, to an external Server酱 endpoint. In this skill context, that increases risk because downloaded filenames often contain sensitive or identifying information, and the exfiltration happens automatically without explicit consent at runtime.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal