ClawHub

芊云VR全景运营小助手

Security checks across malware telemetry and agentic risk

Overview

This VR management skill mostly fits its purpose, but it silently installs and runs an external helper while handling account tokens and generated integration code in risky ways.

Install only if you trust the publisher, the 9kvr service, and the helper binary delivery path. Use a scoped or test token where possible, avoid pasting secrets into shared chats or terminals, rotate tokens if exposed, upload only intended media files, review generated integration code so developer keys remain server-side, and require explicit confirmation before deletes or bulk changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill silently downloads an executable from a remote CDN and installs it locally, which materially exceeds the stated VR content-management purpose and creates a supply-chain execution path. If the CDN, network path, or environment variable controlling the CDN is compromised, an attacker can deliver arbitrary code that will later run on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code executes a local binary as part of normal operation, and that binary may have been previously downloaded from the network without strong integrity verification. This turns routine API usage into arbitrary native code execution in the user's environment, making the skill far more dangerous than its declared business purpose suggests.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a true vulnerability: the generated Vue web integration code claims to use a 'normal link' or a server-side proxy pattern, but the actual template embeds a developer URL containing `YOUR_SECRET_KEY` directly in front-end code. In this skill's context, users will copy-paste generated code into production integrations, so the mismatch between the security guidance and the emitted code materially increases the chance of secret exposure and unauthorized use of the developer account.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This React branch is also a true vulnerability. The comments indicate either a safe public-link flow or a server-side proxy flow, but the generated code still sets the iframe URL to a front-end developer link with the secret key, which exposes credentials to any user inspecting the app or network traffic.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The vanilla web code path is a true vulnerability for the same reason: it labels the example as a normal-link or server-side pattern, but actually generates JavaScript that constructs a developer URL with `YOUR_SECRET_KEY` in the browser. Because this tool is explicitly for integration guidance, insecure sample code is especially risky since developers are likely to deploy it as-is.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This is a broader true vulnerability in the `generateIntegrationCode` feature: despite being a documentation/code-generation tool, it emits multiple insecure examples that place developer secrets into front-end or otherwise user-accessible code. The skill context makes this more dangerous than a stray comment because the purpose of the tool is to produce ready-to-use integration snippets, so insecure generation directly drives insecure deployments at scale.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The 'existing project' generator contradicts the file's earlier security guidance by outputting iframe and JavaScript examples with a cleartext developer key in front-end code. In website/CMS scenarios this is especially dangerous because source, HTML, and network requests are readily inspectable, enabling credential theft, unauthorized API use, and abuse of the developer account.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The upload_media tool accepts an arbitrary string and, if it matches an existing local path, opens and uploads that file. In an agent/tool context this creates a local file exfiltration primitive: a prompt or chained action could cause sensitive host files such as config files, keys, or tokens to be read from disk and sent to the remote API, which is not necessary for normal VR media management.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt explicitly instructs the agent to build and execute a subprocess login command using user-supplied uid and token. In an agent setting, turning untrusted conversational input into shell command arguments creates a dangerous boundary crossing and can lead to credential exposure, command/argument injection risk depending on implementation, and unauthorized persistence of authenticated sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to provide `uid` and `token` in natural-language prompts, but it does not warn that tokens are sensitive secrets, should not be exposed in shared chats/logs, and should be stored securely. In an AI-agent setting, this is dangerous because prompts may be retained in conversation history, telemetry, screenshots, or third-party tooling, increasing the risk of credential leakage and account compromise.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill advertises modification and deletion capabilities for works, assets, and hotspots without pairing those actions with prominent safeguards such as confirmation, preview, scope checks, or rollback guidance. In a natural-language agent workflow, ambiguous requests can lead to unintended destructive changes, especially when the assistant operates on the wrong work ID or misinterprets user intent.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation description is broad and trigger-oriented phrased in natural language, which can cause the agent to activate this skill for loosely related requests without strong scope checks. Because the skill includes sensitive actions such as configuring login tokens, modifying/deleting content, and generating integration artifacts, overbroad triggering increases the chance of unintended or unsafe actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to set `token` and `uid` directly on the command line, which commonly exposes secrets through shell history, process listings, terminal logs, and screenshots. In a skill focused on account configuration, this raises a real credential-handling risk because users are likely to copy-paste live tokens exactly as shown.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The upload command documents sending local files to a remote service without warning users that the file contents may leave the host and be stored or processed externally. While this is normal behavior for an upload feature, the missing privacy/data-handling warning can lead to accidental transmission of sensitive images or assets.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The voice generation and upload commands send user-provided text or audio to external services, but the documentation does not warn that potentially sensitive spoken content, transcripts, or recordings may be transmitted and retained. This is a real privacy issue, especially because narration content can include proprietary or personal information in a production workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example instructs users to configure a UID and token directly via CLI without any warning about secret handling, shell history exposure, shared terminal sessions, or least-privilege storage. In a skill centered on account login configuration, this omission increases the chance that real credentials will be pasted into insecure environments, logged, or leaked during demos and support workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The deletion walkthrough documents `vr scenes delete 3009` as a normal example but does not explicitly warn that deletion may be irreversible or that dependent assets, hotspots, or published experiences may be affected. Because this skill manages production VR content, users may copy-paste the example into live environments and cause unintended data loss or service disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The router explicitly instructs users to pass sensitive authentication material via command-line flags and example utterances (UID and token) without any warning about secure handling, masking, storage, or log exposure. In agent and CLI environments, secrets provided as arguments may be captured in shell history, process listings, transcripts, or tool logs, increasing the chance of credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly instructs operators to run `vr config --show` to verify authentication setup, but provides no warning that this may reveal sensitive token material on screen, in logs, or in shared terminal sessions. In a skill focused on account configuration and operational workflows, normalizing display of auth state increases the chance of credential exposure during demos, screen sharing, shell history capture, or support troubleshooting.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The login configuration flow tells users to persist `uid` and `token` into local authentication state without any notice about where credentials are stored, how long they persist, or the risks of storing secrets on disk. This is dangerous because users may configure long-lived credentials on insecure or shared machines, leading to unauthorized API access if the workstation, config files, or backups are exposed.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill automatically downloads and installs an executable without any user-facing disclosure or consent. In a skill context, that is highly risky because users expect data-management behavior, not silent software installation that can change the local execution environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The login command passes uid and token as command-line arguments to a child process. Command-line arguments can be exposed through process listings, debugging tools, crash reports, or system telemetry, causing credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request path automatically injects uid and token into request data and forwards the combined payload to an external client, without clear user disclosure. This broadens credential exposure and makes accidental transmission of secrets to unintended endpoints or logs more likely, especially because api and headers are caller-controlled.

Missing User Warnings

High
Confidence
97% confidence
Finding
The upload routine base64-encodes file contents, adds credentials, and hands both to an external executable with no user-facing warning. In this skill context, that is especially dangerous because uploaded media may be sensitive and the helper process becomes a broad exfiltration point for both content and authentication material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `media delete` command performs irreversible deletion directly from user input with no interactive confirmation, dry-run, or clearly named override flag. In a CLI that manages remote VR assets, a mistyped ID, shell history reuse, or scripted invocation can cause unintended permanent data loss at scale.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal