ClawHub

Byted Market Insight Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real market-insight integration, but it needs review because it can automatically read local credential configuration, store credentials, and install an SDK during use.

Install only if you trust the publisher and are comfortable with the skill automatically looking for Volcengine/Gateway credentials in shell startup files, reusing locally stored credentials, making external API calls, and possibly installing the Volcengine SDK. Prefer least-privileged credentials, disable auto-pip with `MARKET_INSIGHT_AUTO_PIP=0` if unwanted, and remove or protect `persist/auth.json` when you no longer need the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [sys.executable, "-m", "pip", "install", SDK_MIN_VERSION_SPEC]

    try:
        proc = subprocess.run(
            cmd,
            check=False,
            stdout=subprocess.PIPE,
Confidence
95% confidence
Finding
proc = subprocess.run( cmd, check=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, )

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Auto-installing Python packages is beyond the stated responsibility of an authentication/provider selection module and introduces an unnecessary execution primitive. In a skill context, this is more dangerous because the agent may trigger environment mutation during normal use, increasing supply-chain and persistence risk on the host.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The docstring says the module performs no real network calls, but pip installation typically requires network access and remote package retrieval. This mismatch can mislead reviewers and operators into underestimating the module's behavior and approving it in more restrictive environments.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are extremely broad, covering generic discussions of brands, competitors, trends, hot topics, and even related concepts without explicit mention of the product. This can cause the skill to activate in many normal conversations, increasing the chance that sensitive local actions like credential lookup, persistence, or network requests occur in contexts where the user did not intend to use this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it will minimize questioning by reusing credentials and persisting them in a private directory, but does not clearly foreground the privacy implications or require informed consent. Persisting authentication material and silently reusing it across sessions materially raises the risk of unauthorized access, accidental cross-task use, and local secret exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly instructs that API Gateway keys and official AK/SK credentials are persisted to a local `persist/auth.json` file for reuse, but it does not provide a clear warning about local secret-storage risks, file permissions, encryption, or multi-user/host exposure. Because these are long-lived access credentials for an external service, compromise of the local workspace, logs, backups, or shared volumes could expose them and enable unauthorized API access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code performs automatic SDK installation and environment modification without explicit confirmation in this file, which can surprise users and violate least astonishment. In an agent skill, silent package installation is especially risky because it may occur as a side effect of handling ordinary prompts, leading to unintended code download and execution on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The module persists API keys and secret keys to persist/auth.json with no visible encryption, permission hardening, or explicit warning to the user. Local secret storage can expose long-lived credentials to other local users, backups, logs, or accidental source-control inclusion if the persist directory is mishandled.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to read shell startup files like ~/.bashrc and ~/.zshrc to harvest credential values. Even if described as read-only parsing, this is still secret collection from unrelated local files and can expose API keys, tokens, and other sensitive configuration without clear necessity or user consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal