ClawHub

Connector Hub

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad connector hub that can send messages, upload files, and create records in external services, but some of that write authority is under-scoped or mislabeled as query-style usage.

Install only if you want one broad skill with many live external integrations. Use least-privilege tokens, prefer test workspaces first, and review each script before running it because some commands send messages, upload local files, or create persistent records in third-party systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (37)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document gives contradictory authentication guidance: it first specifies Tencent Weiyun client_id/client_secret variables, then later describes a generic 'API Key / SMTP' flow and API_KEY environment variable. This mismatch can cause users or downstream agents to use the wrong auth model, leading to failed integrations, accidental credential misuse, or insecure workarounds when authentication does not behave as documented.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The document labels this connector as a read-only 'pure API query' integration, but the included scripts perform write operations that create stories and bugs in TAPD. This mismatch can mislead users or downstream agents into invoking the skill under the false assumption that it is non-destructive, increasing the risk of unintended remote state changes.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation is internally inconsistent: it presents the connector as query-only while simultaneously advertising requirement and bug creation/update capabilities. In an agent skill context, such contradictory semantics are dangerous because policy or approval logic may rely on the declared capability level and fail to apply stricter controls to mutating actions.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file performs a real outbound message send, while the skill is described as a connector overview and selection hub. That capability mismatch is dangerous because users or higher-level agents may invoke it expecting reference or decision support, but it can actually trigger side effects in an external enterprise messaging system.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script performs a state-changing GitHub action by creating a pull request, which is more dangerous than a read-only connector/query utility and can surprise users or downstream agents. In an agent-skill context, this expands impact from information retrieval to repository modification workflows, enabling unauthorized or unintended PR creation if invoked with ambient GitHub credentials.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script presents itself as querying TDX K-line data, but the implementation only fabricates local mock values. In a connector-hub context, this is dangerous because users or downstream agents may trust the output as real market data and make decisions based on false information, creating integrity and workflow risks even though there is no direct code-execution issue.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file is packaged as an API/connector script but never contacts any external API or data source, instead returning synthetic data. In this skill context, that mismatch is especially risky because the hub is supposed to be a unified entry point for real connectors, so consumers may rely on fabricated results as if they were authoritative external data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script claims to query real-time Tongdaxin market data, but the implementation returns hardcoded mock values for every requested stock code. In a finance connector context, this is dangerous because downstream users or agents may make decisions based on fabricated data while believing it is live market information.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a connector/API integration entry point, but this script never connects to any external service and instead fabricates local quote objects. That mismatch can mislead operators, automation, or other agents into trusting nonexistent integration behavior, which is especially risky in a financial data workflow where authenticity and freshness matter.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill is described as a connector/reference hub, but this script can create TAPD stories, which is a remote mutation capability. That mismatch increases the chance that users or higher-level agents invoke it expecting passive lookup/reference behavior while actually causing changes in an external system. In skill ecosystems, capability/manifest mismatch is dangerous because it weakens user consent and policy controls.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script accesses TAPD workspace and API token secrets from the environment even though the surrounding skill is framed as a catalog/hub. In a mixed-trust agent environment, undeclared secret access broadens the skill's effective privilege and can surprise operators who would not expect credential consumption from a reference-oriented skill.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger terms are very broad, including generic words like 'connector', 'API对接', '平台集成', and '数据源', which are likely to appear in ordinary user requests. Over-broad activation can cause the skill to be selected unexpectedly, exposing powerful scripts and external integrations in contexts where the user did not intend to authorize those actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The usage section tells users to run scripts directly but does not warn that those scripts may send chat messages and emails, create documents/records/tickets, open PRs/issues, or upload files to third-party services. Missing warnings reduce informed consent and make accidental side effects more likely, especially because the skill spans many external systems and credential types.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file documents how to configure a DingTalk webhook and secret and emphasizes easy message sending, including support for @all notifications, but it does not warn that arbitrary message content will be transmitted to an external service or that mass notifications can create operational and social-engineering risk. In this context, the omission matters because this is an executable integration guide, not a purely descriptive reference, so users may unknowingly send sensitive data or spam broad groups.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file instructs users to place email credentials and API keys into environment variables without any warning about secret sensitivity, storage hygiene, shell history exposure, or least-privilege handling. In a skill context that drives executable scripts for sending email, this increases the chance of credential leakage through logs, shared shells, screenshots, process inspection, or accidental reuse across environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation describes operations that can modify, overwrite, delete, or disclose user data, but it does not warn users about those risks or require confirmation before destructive or sharing actions. In a connector skill that interacts with cloud storage, this omission increases the chance of accidental data loss or unintended exposure, especially because the same skill advertises upload, download, management, and share-link generation as routine capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file instructs users to configure OAuth secrets and access tokens but does not warn that these credentials are sensitive and grant access to cloud-stored files. Without clear handling guidance, users may expose tokens in shells, logs, screenshots, shared transcripts, or unsafe environments, leading to unauthorized access to Baidu Netdisk data.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The file instructs users to place secrets in environment variables but does not include any warning about protecting those credentials, avoiding logs, or preventing accidental disclosure. In a connector skill context, such omissions increase the chance that users paste secrets into shared terminals, scripts, screenshots, or prompts, which can expose cloud storage access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to send customer-service messages and configure API credentials but does not warn about outbound-action risk, misuse of live messaging, or safe secret handling. In a skill context, this increases the chance that users will unknowingly automate real external communications or expose sensitive credentials in unsafe environments, leading to unauthorized messaging, account abuse, or credential leakage.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document advertises collection and analysis of survey responses without any warning that responses may contain personal or sensitive data. In this context, the skill is specifically designed to access respondent submissions, so lack of privacy guidance increases the risk of accidental over-collection, inappropriate disclosure, or unsafe downstream sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The embedded example fetches survey responses using OAuth credentials and formats respondent answers for display, but the markdown gives no user-facing warning about sensitive-content exposure. Because this skill context directly retrieves and prints answer data, it can lead to privacy leaks through console output, copied reports, screenshots, or insecure handling of exported data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document shows credential-handling examples for a GitHub personal access token and GitHub App private key without any warning about secret sensitivity, storage hygiene, or scope minimization. In a skill context, users may copy these examples into shells, scripts, logs, or shared environments, increasing the risk of credential leakage and subsequent unauthorized GitHub access.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The file instructs users to configure API tokens via environment variables but provides no warning about token sensitivity, scope minimization, storage hygiene, or avoiding accidental disclosure in shells, logs, and screenshots. In a connector skill centered on API integration, credential handling is security-relevant context, so incomplete guidance can materially increase the chance of credential exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documentation and sample code direct users to send enterprise identifiers and an API token to Tianyancha, but it does not clearly warn that user input and credentials will be transmitted to an external third-party service. In a connector skill, this omission matters because users may assume a local lookup or may not realize the privacy, compliance, and data-handling implications of querying external commercial data providers.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The markdown provides ready-to-run scripts that send project data to TAPD and create remote artifacts, but it does not clearly warn users that titles, descriptions, owners, and modules will be transmitted externally and persisted. In a skill ecosystem, this omission can lead to accidental disclosure of sensitive project information and unintended creation of records in production workspaces.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal