ClawHub

Byted Data Label

Security checks across malware telemetry and agentic risk

Overview

This skill is built for Seederive cloud data labeling, but it uses broad automatic routing, cloud credentials, runtime package installation, and unconfirmed remote delete/update actions that users should review carefully.

Install only if you intentionally want an agent to use Seederive/Volcengine for cloud-based data labeling. Use least-privileged credentials, verify the API endpoint, preinstall dependencies instead of allowing runtime pip installs, and require explicit confirmation before uploads, model changes, backfills, optimizations, or deletions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("缺少 requests 库,正在安装...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "requests", "-q"])
    import requests
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell commands, accesses environment variables for AK/SK, and performs network-backed operations, but does not declare any permissions or capability boundaries. This undermines least-privilege enforcement and informed consent, making it easier for the skill to access credentials and transmit user data without clear platform-level controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The published description frames the skill as a data-labeling and analysis helper, but the documented behavior extends to broad task administration, model management, error-case management, and direct authenticated backend operations. This mismatch can cause users or reviewers to underestimate the level of control and data access the skill has, increasing the risk of over-trust and unintended privileged actions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-installing Python packages at runtime is not necessary for a labeling CLI and introduces arbitrary third-party code into the execution environment without operator approval. That behavior is especially risky in agent-operated environments because it creates side effects, network egress, and potential execution of attacker-controlled dependency content.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger conditions are extremely broad and mandate use of this skill for many common analysis requests, including generic phrases like analyzing comments, translating a batch, or processing CSV/Excel files. Overbroad routing increases accidental invocation, which can lead to unnecessary credential use, external data transmission, and execution of shell/network actions on content that the user did not intend to send to this integration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the operator to use access/secret key environment variables and to run connectivity and processing commands against a remote service, but it provides no warning about sensitive credential handling or that uploaded text/files will leave the local environment. In a skill that processes potentially sensitive text, speech, image, CSV, and Excel data, the absence of disclosure materially increases privacy and secret-exposure risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are very broad and map many common requests to this skill, increasing the chance the agent invokes it when the user did not intend to use Seederive or authorize external processing. In this skill, invocation can lead to uploading datasets, changing model settings, and modifying task configuration, so over-triggering creates a real risk of unintended data transfer and state-changing actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The execution steps instruct the agent to upload error cases, generate files from task data, trigger optimization, and change live model configuration without explicit user-facing warnings or confirmation gates. Because the skill handles potentially sensitive text/CSV data and can mutate production task behavior, missing warnings materially increases the risk of privacy exposure, accidental data exfiltration to a third-party service, and unintended operational changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents a destructive `delete` operation for a tag base without requiring any user confirmation, warning about permanence, or guidance to verify the target ID before execution. In an agent setting, this increases the risk of accidental or misinterpreted deletion of production resources, especially if the agent acts on ambiguous user requests or stale IDs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The update flow states that supplying only a new `doc-info` will automatically delete the old file, but this is presented as a note rather than a mandatory user-facing warning or confirmation gate. Because file replacement implicitly removes prior data, an agent could cause unintended data loss during routine updates if the user does not understand the overwrite semantics.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports task deletion and lists the delete command, but it provides no requirement to confirm destructive actions with the user before execution. In an agent setting, this raises the risk of accidental or prompt-induced deletion of existing tasks, causing operational disruption or loss of task configurations/results.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requires setting `VOLCENGINE_ACCESS_KEY` and `VOLCENGINE_SECRET_KEY` but gives no guidance on secure handling, storage, redaction, or prohibitions against echoing credentials in logs or chat. In an agent workflow, this can lead to credential exposure through command history, transcripts, screenshots, or debugging output, enabling unauthorized access to the external service.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The task deletion command performs a destructive remote action immediately with no confirmation, dry-run, or safety interlock. In an agent skill, this increases the chance of accidental or prompt-induced deletion of production tasks and data-processing configurations.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The error-case deletion path removes records directly from a comma-separated ID list without any user-facing confirmation or undo guard. In a batch-analysis skill, accidental invocation could irreversibly remove training or QA artifacts that are operationally important.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
Deleting tag-base resources without confirmation is a real safety issue because tag bases are core classification assets for this skill’s business purpose. In this context, unintended deletion can disrupt labeling pipelines, corrupt consistency of results, and cause broader operational loss than a generic CLI would.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal