ClawHub

Byted Kickart Marketing Material Generator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a marketing-video workflow, but it handles credentials, chat metadata, background execution, and account-side actions in ways that need careful review before installation.

Install only if you trust the publisher and are comfortable with the skill using cloud credentials, uploading media to Volcengine/Kickart services, sending QR/results into chat, and running a background polling process. Do not paste broad or production access keys into chat; use least-privilege credentials and inspect/redact logs because the scripts can log authorization headers and request content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Tainted flow: 'headers' from os.getenv (line 349, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
debug_print(f"result is {url}")
    debug_print(f"headers is {headers}")
    debug_print(f"url is {url}, body is {body_bytes}")
    resp = requests.post(url, data=body_bytes, headers=headers, timeout=30)

    try:
        result = resp.json()
Confidence
79% confidence
Finding
resp = requests.post(url, data=body_bytes, headers=headers, timeout=30)

Tainted flow: 'headers' from os.getenv (line 349, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if extra_query:
        url += "&" + urlencode(extra_query)
    debug_print(f"url is {url}, data size is {len(data)}")
    resp = requests.post(url, data=data, headers=headers, timeout=60)

    try:
        result = resp.json()
Confidence
79% confidence
Finding
resp = requests.post(url, data=data, headers=headers, timeout=60)

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
Requiring the agent to inspect `openclaw.json` for model input settings is a local configuration disclosure step not clearly necessary for generating marketing videos from user content. Reading unrelated local config increases the attack surface because it can expose deployment details and normalize access to host-side files beyond user-provided inputs.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The skill instructs the agent to read local reference files and verify whether authentication environment variables are configured, which can lead to probing of host secrets or secret presence outside the user's requested task. Even if values are not printed, checking local auth state from within the skill expands trust boundaries and may facilitate credential discovery patterns.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guidance requires the agent to persist user requirements and task metadata such as task ID, session ID, submission time, parameters, and confirmed user needs into session context. While operationally useful, this goes beyond the minimum data needed for one-shot creative analysis and increases the amount and lifetime of potentially sensitive user/business data retained by the system. In a marketing workflow, these details can reveal campaign strategy, audience targeting, and uploaded-material linkage, creating unnecessary privacy and data-governance risk if reused, overexposed, or retained too long.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly instructs the agent to ask users to paste ACCESS_KEY_ID and SECRET_ACCESS_KEY directly into chat, then export and reuse them. For a marketing-video generation skill, collecting cloud credentials in-band is not necessary and creates a clear credential harvesting and misuse risk, especially because chat channels, logs, and downstream systems may expose secrets.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document says credentials are only temporarily set, but also references users sending them via chat and database masking, which indicates broader handling than ephemeral process-only use. This inconsistency increases the chance that secrets are retained in logs, telemetry, conversation history, or storage layers despite claims of non-persistence.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide requires passing complete inbound metadata and conversation context to the publishing script even though the skill’s public purpose is QR/link generation for video publishing. This creates an undocumented data-flow expansion and may expose identifiers, routing fields, or other contextual data to code paths that do not need them, increasing privacy and abuse risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Full inbound metadata and conversation context are not necessary to generate a QR code from a video URL and post body, so requiring them violates data minimization and broadens access to sensitive conversational information. If the script logs, forwards, or mishandles these inputs, it could leak user, channel, or conversation details beyond the expected publishing workflow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script includes a debug capability that enumerates all platform users and prints detailed metadata, which exceeds what is needed to upload marketing media. This expands data exposure and can leak identities, roles, and organizational details to operators or logs, especially risky because the skill's declared purpose does not justify broad user discovery.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill spawns a detached background shell process on the host to perform polling, which is a privileged local execution capability beyond the immediate user-visible action. Even if intended for async job completion, this design expands attack surface, complicates auditing, and can be abused for persistence-like behavior or unmonitored execution if surrounding inputs or the script are compromised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code sends a generated QR image directly to a chat recipient using chat_id and message_id metadata, which introduces behavior beyond simple media generation. Because it transmits content and conversation-derived identifiers externally without explicit confirmation in this flow, it can surprise users and create an unauthorized messaging/data-disclosure channel.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill invokes an external CLI to send a message, which expands trust to an out-of-process component not justified by the visible marketing-video generation purpose. That creates a covert capability for transmitting files and chat context through tooling outside the main application controls, increasing supply-chain and abuse risk.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The command is described as publishing video to Douyin, but it actually generates a QR code and jump link and sends the QR image via chat. This mismatch is dangerous because users, reviewers, or orchestrators may grant permissions or invoke the tool under false assumptions, enabling undisclosed messaging and redirection behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill manifest describes a marketing-video generation workflow, but the exposed command performs an unrelated registration call to "RegisterArkClawCombo". This functionality mismatch is dangerous because users invoking the skill for media-generation tasks could instead trigger an undisclosed account-side action, indicating deceptive behavior and possible abuse of user credentials or service entitlements.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code logs the full request URL, headers, and body before sending the request, which includes the Authorization header containing the computed signature and may include user content in the body. It also logs full response headers and body, creating a high risk of credential leakage, sensitive user data exposure, and replay/intelligence value in centralized logs or error monitoring systems.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code logs the full request URL, headers, and body before sending, and logs full response headers and body afterward. Because the headers include a Bearer token and the body/response may contain user-uploaded marketing assets or task data, anyone with log access can recover credentials and sensitive content, enabling unauthorized API use and data exposure.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases like '查询进度','查看结果','生成怎么样了','好了吗' are broad conversational terms that can appear in unrelated user messages. In this skill, that increases the chance of unintended guide activation and execution of task-query logic based on weak intent matching, which can cause incorrect tool use, data leakage from prior session state, or disruption of the intended workflow.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The mandatory rule forces the agent to prioritize this guide whenever ambiguous keywords are matched, without enough scope restriction or contextual validation. Because the skill manages asynchronous marketing-media workflows and persists Task IDs in session context, a false trigger could cause the agent to query or expose results from the wrong task, perform unintended backend actions, or derail the conversation from the user's actual request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example command explicitly passes the full unmodified metadata blob, including identifiers such as chat_id, account_id, provider, and channel, into a script, but the document does not disclose the privacy/security implications or constrain how that data is stored, logged, or transmitted. In this skill context, that metadata is enough to link actions to a specific user/session and may be exposed through process arguments, logs, shell history, or downstream services, creating avoidable privacy and data-handling risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guide directs users to transmit access keys through chat without meaningful warning about exposure risks or safer alternatives. Sending secrets through a conversation interface is dangerous because transcripts may be visible to operators, retained by systems, or accidentally disclosed, making credential compromise more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The debug routine prints sensitive user metadata including IDs, names, descriptions, team info, role info, and the full user object without a strong warning or access control boundary. If logs are retained or exposed, this becomes a straightforward privacy and reconnaissance leak that is unnecessary for a marketing-material workflow.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code launches a background shell task without any visible disclosure, consent, or audit signal to the user, despite creating execution that persists beyond the immediate command. In an agent-skill context, undisclosed detached execution is risky because it hides operational behavior from users and operators and can mask misuse or unexpected resource consumption.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill passes session and chat metadata (`session`, `channel`, `chat_id`) into a detached background process without clear minimization or disclosure. In a background execution context, propagating user/session identifiers increases privacy and misuse risk, especially if the child script logs, forwards, or mishandles them outside the original request lifecycle.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The `add` command uploads a user-supplied local file to a remote server via `upload({"file": file})`, but the CLI text and output do not clearly warn the user that the file will leave the local environment. In a skill that handles arbitrary user images and videos, this can cause unintended disclosure of sensitive media or metadata if users believe the action is only local validation or processing.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal