ClawHub

中文工具包

Security checks across malware telemetry and agentic risk

Overview

The core Chinese text tools are mostly coherent, but the package includes a mismatched installer source and broad publishing, messaging, and account-authenticated instructions that users should review carefully.

Install only after reviewing the installer and trusting the utopia013-droid/luxyoo repository. Avoid running the bundled release or publishing guides unless you are intentionally maintaining and publishing this skill, and verify remotes before any git push or ClawHub publish. Store translation API keys securely and remember that cloud translation sends submitted text to third-party services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (52)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents capabilities that access environment variables, read local files, and communicate with external services, but it does not declare corresponding permissions. This creates a transparency and consent gap: users may expose local data or secrets to the skill without clear permission gating, especially given file-processing and API-based translation/OCR features.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented scope is a Chinese language processing toolkit, but the described repository structure and referenced scripts indicate broader operational capabilities such as dependency installation, model updates, packaging, and project/release management. This mismatch increases the risk that users invoke or install functionality with system-level side effects that they would not reasonably expect from a text-processing skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This guide directs the user to configure a GitHub remote and publish code/releases, which is outside the declared purpose of a Chinese NLP/OCR toolkit skill. In an agent-skill context, unrelated software publication instructions can cause unintended exfiltration or distribution of local workspace contents to a third-party repository, especially if a user assumes the file is part of normal toolkit operation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file contains extensive release, distribution, promotion, and support workflows unrelated to the advertised text-processing capabilities. This broad operational guidance increases risk because it normalizes actions that affect external systems and repository state, making it easier for a user or agent to perform unintended non-local actions under the guise of using a language-processing skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This guide for a Chinese text-processing skill is centered on repository release and package publication actions rather than the declared end-user functionality. That mismatch is dangerous because it normalizes running supply-chain and publication commands in a context where users would reasonably expect local text-processing features, increasing the chance of unintended code publication or trust abuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document instructs users to perform GitHub and ClawHub release operations that are not necessary for using a Chinese toolkit. In skill context, this is more dangerous because users may treat included docs as trusted setup guidance and end up pushing code, creating releases, or publishing artifacts to external registries without fully understanding the consequence.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The troubleshooting flow tells the user to log in to and publish via external services, which requests account-authenticated network actions unrelated to the normal use of a text-processing skill. This expands the attack surface by encouraging credentialed operations and remote publication from within a package that should not need such privileges for ordinary functionality.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The installer will clone and switch into a remote GitHub repository when the expected file is absent, which expands its behavior from local setup into fetching new code from the network. That creates a supply-chain risk because the script is effectively trusting and preparing code that may change over time, and users are not given a strong explicit consent boundary before this occurs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script bootstraps pip and installs Python packages into the host environment, modifying system or user Python state outside the skill's immediate runtime behavior. This can introduce dependency confusion, package compromise, or environment breakage, especially if run with elevated privileges or on shared systems.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The example in `validate_examples()` executes every Python file in the examples directory with `exec(f.read(), {})`. Even though this appears in documentation, it demonstrates and encourages an unsafe validation pattern that can run arbitrary code from untrusted or modified example files, leading to code execution on the developer's machine or CI environment.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file embeds extensive Discord moderation, support-ticketing, knowledge-base, feedback, and analytics functionality that is unrelated to the declared Chinese text-processing purpose. In an agent skill context, this kind of scope expansion is dangerous because it introduces unexpected data collection, persistent storage, and external communications capabilities that users and reviewers would not reasonably expect from a language toolkit.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
A Discord bot with message-content access, member access, moderation commands, and ticket forwarding is context-inappropriate for a Chinese language toolkit and materially expands the operational privilege surface. If incorporated by an agent or operator without scrutiny, it could enable unexpected monitoring of users, collection of support content, and transmission of data to Discord channels.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The persistent ticketing, feedback, and analytics databases store user identifiers, emails, messages, and behavioral data despite being unrelated to the stated toolkit purpose. In a skill ecosystem, unjustified persistence is risky because it creates hidden retention, profiling, and breach exposure for sensitive user support and activity data.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file adds a full email ingestion capability, including fetching unread messages and parsing message bodies and attachments, which is materially outside the declared scope of a Chinese text-processing toolkit. Unscoped mailbox access creates unnecessary exposure to sensitive communications and credentials, and such hidden capability is especially risky in an agent skill because it could be invoked under the guise of unrelated functionality.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The SQLite-backed inbox system stores message bodies, senders, recipients, metadata, tags, and attachments, implementing persistent communications management unrelated to the advertised Chinese-language toolkit purpose. Hidden data collection and retention broadens the attack surface and can enable unauthorized storage of sensitive user content without clear justification or disclosure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The IMAP integration connects to external mail infrastructure, authenticates with mailbox credentials, selects the inbox, and retrieves unread emails. For a skill advertised as Chinese text processing, this is an unjustified privileged external access path that could expose mailbox contents and credentials if misused, misconfigured, or silently enabled.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The migration loader dynamically imports and executes every Python file found in a migrations directory via importlib and exec_module. If an attacker can place or modify a file in that directory, they gain arbitrary code execution during configuration migration, which is far beyond the stated purpose of a Chinese text-processing toolkit.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly recommends token-based login using a GitHub token but provides no warning that the token is a sensitive credential, no guidance on least-privilege scopes, and no advice against exposing it in shell history or logs. In a publication guide aimed at end users, this omission can lead to credential leakage and subsequent unauthorized access to the user's GitHub account or connected publishing workflow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The sample configuration embeds `baiduApiKey` and `baiduSecretKey` directly in a JSON example without warning that these values are secrets or that translation APIs may transmit user text to a third party. Users may copy this pattern into checked-in config files, causing credential exposure and unintended disclosure of potentially sensitive text sent for translation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells users to run `git reset --hard HEAD` and `git clean -fd` as troubleshooting steps without any warning that these commands permanently discard uncommitted changes and delete untracked files. In a release guide, users are likely to copy-paste commands directly, so omission of data-loss warnings creates a real safety issue even if it is not malicious.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document recommends `git push ... --force` without warning that force-push rewrites remote history and can overwrite collaborators' work. In publishing instructions, this is especially risky because operators may run it on the primary branch or release tag without understanding the consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide includes live `git push`, tagging, and release steps that make irreversible changes to remote repositories, but it does not clearly warn readers that these commands will publish code externally. In an agent-skill context, documentation that normalizes direct execution without an explicit safety notice increases the chance of accidental publication or pushing to the wrong repository.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The ClawHub login and publish instructions initiate authentication and public distribution, but the document does not warn that `npx clawhub login` may grant account access and `publish` may make the skill publicly available. In a skill package, this omission can mislead users into authenticating and publishing under their own account without understanding the consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The one-click PowerShell script chains version bumping, commit, tag creation, remote push, and marketplace publication into a single workflow without any consolidated risk notice or interactive confirmation. This raises the likelihood of accidental bulk actions, unintended disclosure, or publishing unreviewed code, especially if copied and run by users who assume it is a safe helper script.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These instructions tell the user to bump versions, commit, tag, and push to a remote repository without any warning that the commands change repository history/state and may publish code externally. In a skill context, presenting state-changing commands as routine steps is dangerous because it can lead to accidental release of sensitive or unfinished content and irreversible repository modifications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal