ClawHub
Back to skill

Security audit

humanize

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Chinese copy-rewriting tool that installs a local runtime, uses model backends, and stores run artifacts as part of its stated workflow.

Install only if you are comfortable with a local Python runtime, dependency/model downloads, run folders containing your drafts and outputs, and use of your configured CoPaw or local OpenAI-compatible model backend. Avoid submitting confidential customer, legal, or internal text unless your active model and local filesystem retention are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
run_dir = output_root / case_id
    if run_dir.exists():
        subprocess.run(["rm", "-rf", str(run_dir)], check=True)

    cmd = [
        python_bin,
Confidence
91% confidence
Finding
subprocess.run(["rm", "-rf", str(run_dir)], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
check=True,
        env=_subprocess_env(),
    )
    subprocess.run(
        [
            str(runtime_python()),
            "-m",
Confidence
84% confidence
Finding
subprocess.run( [ str(runtime_python()), "-m", "pip", "install", "--disable-pip-version-check", "-r", st

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(command: Iterable[str], *, env: dict[str, str] | None = None) -> None:
    subprocess.run(list(command), check=True, env=_subprocess_env(env))
Confidence
89% confidence
Finding
subprocess.run(list(command), check=True, env=_subprocess_env(env))

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
This script implements a generic baseline-versus-challenger scoring pipeline that is materially broader than the declared purpose of a Chinese copy humanization skill. Capability mismatch is dangerous because it can hide undeclared evaluation or optimization workflows inside a benign-looking skill package, reducing transparency and making it easier to repurpose the skill for covert ranking or policy-bypass tuning.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The automated keep/discard decision logic enables systematic comparison and selection of outputs, which is not justified by the stated end-user function of rewriting Chinese copy to sound more natural. In this context, the undisclosed automation increases risk because it provides hidden optimization infrastructure that could be used to iteratively tune prompts or outputs beyond the user-visible purpose of the skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The installer copies the repository into the user's CoPaw skill pool and workspace, then edits the local workspace manifest to register and optionally enable the skill. That behavior is outside the humanization skill's declared purpose and creates persistent local state changes, which increases risk because installing the skill also grants it a foothold in the agent environment and may surprise users or bypass normal review expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
For a text-humanization skill, shell-level recursive deletion is unnecessary and expands the skill's capabilities beyond its stated purpose. Even in a regression script, this creates avoidable destructive filesystem power that could delete arbitrary directories if an operator passes an unsafe output root or if path handling is later weakened.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises text humanization, but this module creates a runtime, installs packages, and downloads model artifacts from Hugging Face. That mismatch increases risk because users may grant trust appropriate for a copywriting tool while the code performs software installation and network retrieval on the host.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The module probes host interpreters and includes a general pattern of launching local processes, which is not tightly aligned with the stated purpose of rewriting Chinese copy. In this skill context, unjustified execution capability is more dangerous because it expands the attack surface far beyond content transformation.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation guidance is broad enough that ordinary user phrasing about making text sound more human could trigger the skill automatically. Because this skill performs shell execution, local file writes, and possibly model bootstrap/network access, over-broad activation raises the risk of unintended tool use and data handling without a clear user request for those operations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The loose fallback examples allow very ambiguous natural-language requests to count as valid activation input. In context, that means the agent may infer permission to launch the full local optimization pipeline, persist user drafts, and reveal process artifacts when the user may have wanted only a simple rewrite.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code sends prompts and model payloads over HTTP to a configurable endpoint without any in-code disclosure, consent, or trust-boundary checks. In this skill context, user-provided drafts may contain sensitive communications content, so silently transmitting them to a service selected by environment or log-derived URL increases privacy and data exfiltration risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This path forwards full system and user prompts to another script via a subprocess, again without visible disclosure or minimization. Although the bridge is local, it expands the data exposure surface to another process and potentially another provider selected by the bridge, which matters because this skill processes user communication text that may include confidential business or personal content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists the raw user brief, parsed payload, session plan, and original text to disk by default under the runs directory, with no minimization, redaction, consent check, or retention control. Because this skill is designed for human communication tasks, inputs are likely to contain sensitive personal, business, customer-service, or internal communication data, so local disclosure risk is materially increased if the filesystem is shared, backed up, synced, or later exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persistently writes user briefs, parsed payloads, source text, model generations, scoring details, and trace artifacts to the run directory. If those inputs contain sensitive business, customer, or personal data, the tool creates an undeclared local data-retention surface that can expose information to other users, backups, logs, or later processes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends the task, original/source text, constraints, and rewrite content to a model backend via call_chat without any visible notice or consent mechanism in this file. In a skill intended for humanizing Chinese communications, that content may routinely include customer messages, internal business updates, complaint handling, recruiting emails, and other sensitive text, making undisclosed third-party transmission materially risky.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The output payload includes backend metadata such as llm_base_url, llm_model, and backend error details. While not usually critical alone, exposing internal service endpoints or configuration details can aid reconnaissance, leak provider relationships, or reveal internal infrastructure to downstream consumers who do not need that information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This runtime bootstrap installs packages and later enables model download without any visible warning or consent in the file. Silent software installation and network activity are risky because they can surprise users, bypass informed trust decisions, and increase exposure to supply-chain compromise.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The force-reinstall path deletes the runtime virtual environment recursively without a visible warning or confirmation. While the target path is scoped under the skill runtime directory, destructive file operations still warrant explicit safeguards to prevent accidental data loss or misuse if path assumptions ever break.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists a rolling history that includes the full task text plus previews of baseline and challenger outputs to a JSON file on disk. In a copywriting skill, those fields can contain sensitive business communications, personal data, customer messages, or confidential drafts, so local persistence creates an unnecessary data-retention and privacy exposure if the runtime directory is accessible, backed up, or reused across sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill mandates always revealing the full optimization process and relaying user-visible output verbatim, including baseline text, candidate drafts, scores, failure tags, and traces. For rewrite tasks, this can unnecessarily expose sensitive user-provided message content and internal session metadata, violating data minimization and potentially disclosing confidential drafts or context to the end user or downstream logs.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.