ClawHub

关机吧人类

Security checks across malware telemetry and agentic risk

Overview

This paid timer skill mostly matches its stated purpose, but it sends payment credentials over unencrypted HTTP and forcibly closes apps in ways that can cause data loss.

Review carefully before installing. Only use this skill if you trust the publisher, accept that payment/order data is sent to a hardcoded server over unencrypted HTTP, and are comfortable with forced closing of applications that may lose unsaved work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill instructs the assistant to include its hidden thought process in user-facing responses, which is unrelated to the timer/shutdown function and requests disclosure of sensitive internal reasoning. Exposing chain-of-thought can leak internal safety logic, prompt structure, and decision-making artifacts that attackers can use to jailbreak or manipulate the agent.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This repeated instruction again asks the assistant to reveal its thought process, which is not necessary for scheduling software termination and expands the skill beyond its legitimate purpose. Repetition increases the chance the model treats the instruction as high priority and leaks internal reasoning despite policy boundaries.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
该脚本的核心功能名义上是“定时关闭软件”,但实际实现了将用户输入发送到远程下单接口并将支付/问题数据持久化到本地的能力,属于与宣称功能不匹配的数据收集与外联行为。更严重的是它使用明文 HTTP 与固定 IP 通信,用户问题和订单元数据可被监听、篡改或用于额外画像,扩大了隐私与供应链风险。

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
对“定时关闭软件”这种本地自动化场景,引入远程下单能力本身就增加了不必要的攻击面,尤其这里还把用户输入直接发往外部服务。技能元数据已声明这是付费服务,因此远程支付并非完全无关,但实现缺乏最小权限与透明披露,使其从“业务需要”演变为安全风险。

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description frames the capability around late-night gaming, chat, and entertainment use, but the implementation also force-kills office applications such as Word, Excel, Outlook, and Teams. That mismatch increases the chance of destructive use and accidental data loss, especially because forced termination can discard unsaved work.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The "全部" option aggregates all predefined categories into a bulk process-kill operation, turning a narrowly described bedtime assistant into a general destructive process terminator. In context, this broadens the blast radius and can abruptly shut down many unrelated applications, increasing the likelihood of data loss and misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill schedules forced closure of software and potentially services without clearly warning users about interruption, unsaved work loss, or side effects. In this context, the omission matters because the action directly affects running applications and could cause data loss or disrupt important sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
脚本将用户的 question 通过明文 HTTP POST 到固定远程地址,但代码中看不到任何面向用户的传输告知、同意或数据分类约束。question 虽被描述为软件类别,但实际可包含任意文本;在未加密传输下,用户输入和返回的支付数据都可能被中间人窃听或篡改。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
脚本会把订单号、金额、用户问题、encrypted_data、pay_to 等支付相关信息写入本地文件,但代码未体现任何用户提示、访问控制、加密或最小化存储。若本地目录权限过宽、被其他进程读取或被后续组件误用,这些数据可导致隐私泄露、支付流程被滥用或为进一步攻击提供线索。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code performs forced process termination without any final user confirmation, dry-run preview, or warning about unsaved work. In this skill's context, that makes destructive behavior more dangerous because the action is intentionally disruptive and may be scheduled to run later when the user is no longer actively supervising it.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill sends order number, credential, and other request data to a plain HTTP endpoint, exposing sensitive payment or authorization material to interception and tampering by any network attacker on path. Because the server response gates whether destructive actions proceed, the lack of transport security also allows manipulation of the authorization flow.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly directs disclosure of hidden reasoning, which is a sensitive internal artifact and not needed for the paid software-kill workflow. In a skill that also performs payment handling and system-affecting actions, leaking internal reasoning is especially risky because it can expose guardrails and make follow-on prompt attacks more effective.

Ssd 3

High
Confidence
99% confidence
Finding
This repeated chain-of-thought disclosure instruction reinforces an unsafe behavior that could reveal internal policies, hidden checks, or tool-selection logic. The surrounding context includes payment processing and local system actions, which makes any prompt-leakage issue more dangerous than in a purely informational skill.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal