ClawHub

ITSM 工单自动提交

Security checks across malware telemetry and agentic risk

Overview

This skill does automate ITSM ticket submission, but it embeds credentials, can submit real tickets without a review step, and performs broad automatic setup on the user’s machine.

Install only after reviewing the code and changing how credentials are handled. Do not use the embedded credential; rotate it if it is real. Run the skill only in an isolated environment or browser profile, expect it may install packages or execute downloaded setup code, and verify ticket details before allowing it to submit to the ITSM system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation explicitly states that first run will automatically install chromium-browser and Python packages, expanding the skill from ticket submission into system modification. This is dangerous because package installation changes the host environment, may require elevated privileges, and can introduce unreviewed software or supply-chain risk unrelated to the core business action of filing an ITSM ticket.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The troubleshooting section instructs users to run apt-get to install chromium-browser, giving the skill operational guidance for system package management outside its primary purpose. Even in documentation, encouraging privileged package installation increases the chance of unnecessary host changes and normalizes elevated operations for a routine automation task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically installs Python packages, bootstraps pip, and even downloads and executes get-pip.py from the network. This materially expands its behavior from launching/submitting an ITSM ticket into modifying the host and running remote bootstrap code, which creates supply-chain and environment-integrity risk if the network source or package resolution is compromised.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script uses sudo apt-get to install chromium-browser during normal execution, granting package-management capability unrelated to the core action of submitting a ticket. Automatic privileged installation can alter the system unexpectedly and becomes dangerous if the package source, repository configuration, or invocation context is untrusted.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comment claims the skill is 'zero dependency' while the script actually installs Python dependencies, may install pip, and may install Chromium. This mismatch can mislead users about the trust boundary and system changes they are consenting to, increasing the chance they run the script without appropriate scrutiny.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script accepts credentials and other sensitive values from command-line arguments, then prints raw arguments and parsed key/value pairs to stdout. On multi-user systems or CI environments, command-line arguments and console logs may be captured by shell history, process listings, job logs, or monitoring systems, exposing usernames, passwords, file paths, and ticket contents.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill documentation exposes a default username and password and presents them as usable defaults without any warning. Hardcoded or documented default credentials are highly dangerous because they can be reused by unauthorized parties, encourage insecure deployment, and may directly expose the target ITSM system if the credentials are valid.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation says the script will automatically install software and submit tickets on first run, but it does not provide a clear warning about these external side effects. This is risky because users may trigger network actions and system changes without informed consent, leading to unintended submissions, policy violations, or unsafe execution in restricted environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script begins package installation and environment modification without an upfront warning that it may change the local Python environment or install tooling. Even if intended for convenience, silent modification reduces informed consent and can break managed environments or violate least-surprise expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads get-pip.py from the internet and executes it locally, which is effectively remote code execution through a bootstrap channel. This is especially risky because it happens automatically and without strong verification, so a MITM, compromised host, or redirected source could execute arbitrary code on the machine.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The automation clicks the final submit button immediately after filling the form, with no review or confirmation gate. In an ITSM workflow this can create unintended tickets, submit incorrect data, or trigger downstream operational actions that are difficult to retract.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script hardcodes credentials directly in the CONFIG object and is designed to use them for automated login. Embedded secrets are easily leaked through source control, code sharing, backups, screenshots, and local debugging, and the surrounding script behavior also prints configuration-related values, increasing exposure risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal