ClawHub

智灵大数据搜索

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Zeelin search skill, but it can send API keys and searches to a plain-HTTP endpoint and automatically save full results locally.

Install only if you trust Zeelin and intend queries to leave your environment. Before use, change the API URL to HTTPS if supported, verify the endpoint, avoid broad accidental invocations, and delete generated JSON result files when searches contain sensitive topics or identifiers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill requires saving the complete API response to a JSON file in the user's directory, which expands behavior beyond the primary query/response function and creates unnecessary data persistence. If the API returns sensitive content, account identifiers, links, or query history, this can expose private data to other local users, backups, or later unintended access.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document explicitly instructs the skill to inspect dialogue history and inherit prior query parameters, extending behavior beyond a single-turn transformation. This creates hidden statefulness and can cause prior user data to be reused in later API requests without an explicit fresh user confirmation, which is a privacy and authorization concern.

Vague Triggers

High
Confidence
97% confidence
Finding
The manifest-level trigger phrases are overly broad, including generic terms such as news, trends, comments, and public-opinion language that can appear in ordinary conversation. This can cause the skill to activate unexpectedly and send user prompts to an external API without sufficiently clear user intent, increasing privacy and data-exposure risk.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger list uses ambiguous ellipsis-based patterns like '...评论' and '...热点话题', which do not define reliable activation boundaries and may match many unrelated requests. In this skill's context, accidental activation is more dangerous because it can lead to external API queries and result persistence without deliberate user invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs storing complete API results in a JSON file under the user directory without warning the user that data will persist locally or describing the privacy implications. This undermines informed consent and may leave sensitive search results, entities, links, or metadata retained longer than expected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions require silently reusing prior query parameters from conversation history without notifying the user. This can leak sensitive topics, entities, time ranges, or sources from an earlier request into a new outbound query, especially when the new input is short or ambiguous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Reading conversation history for parameter inheritance is a privacy-relevant behavior, yet the skill text does not disclose that prior messages will be accessed and used to construct requests. Undisclosed history access can surprise users and result in unintended transmission of context-derived data to the external Zeelin service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly requires exporting all search results to a JSON file in the user directory without any minimization, consent, retention, or sensitivity checks. Search/API responses can contain personal data, URLs, identifiers, or proprietary content, so unconditional local persistence broadens exposure beyond the in-chat preview.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persisting the full API response to a user-accessible JSON file and explicitly revealing the path increases the chance that sensitive data will be discoverable and reused by other tools, users, or malware on the system. The danger is heightened here because the response may include comprehensive external-query results and metadata not needed for normal on-screen presentation.

Ssd 3

Medium
Confidence
91% confidence
Finding
Instructing the agent to output the complete API response as a user-accessible file increases the chance of disclosing fields that are unnecessary for the user-facing task. Full-response export bypasses least-privilege and data-minimization principles, especially when response schemas may expand over time to include more sensitive metadata.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill not only stores the entire API response JSON but also instructs revealing the storage path to the user, which normalizes broad persistence and location disclosure. If the response includes sensitive content or the path reveals local environment details, this can increase privacy and operational security risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The prescribed workflow requires writing complete results to the user directory and announcing the exact path, creating a repeated pattern of unnecessary data persistence and path disclosure. This makes accidental overexposure more likely and can leak more data than the preview the user actually needs.

Ssd 3

Medium
Confidence
95% confidence
Finding
The repeated requirement to always export the full JSON response reinforces unsafe default behavior and removes opportunities for context-sensitive handling. Repetition in the spec makes it more likely implementers will treat broad disclosure as mandatory, even when the results may contain sensitive or excessive data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal