ClawHub

Byteplan Chat

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real BytePlan charting skill, but it uses stored account credentials with broad scope and sends credential-backed requests to a configurable external endpoint.

Review before installing. Use a limited or read-only BytePlan account if possible, verify BYTEPLAN_BASE_URL is the intended BytePlan host, avoid write scope unless required, keep .env private, and avoid running this on sensitive business queries unless you are comfortable sending them to BytePlan's configured API endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'PUBLIC_KEY_URL' from os.getenv (line 56, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
headers["referrer"] = f"{BASE_URL}/"
    
    try:
        response = requests.get(
            PUBLIC_KEY_URL,
            headers=headers,
            timeout=10
Confidence
96% confidence
Finding
response = requests.get( PUBLIC_KEY_URL, headers=headers, timeout=10 )

Tainted flow: 'LOGIN_URL' from os.getenv (line 57, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(
            LOGIN_URL,
            data=login_payload,
            headers=headers,
Confidence
97% confidence
Finding
response = requests.post( LOGIN_URL, data=login_payload, headers=headers, auth=(AUTH_USER, AUTH_PASS), timeout=10 )

Tainted flow: 'url' from os.getenv (line 335, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(url, headers=headers, json=payload, stream=True, timeout=60)
        
        if response.status_code != 200:
            print(f"❌ 请求失败,状态码:{response.status_code}")
Confidence
90% confidence
Finding
response = requests.post(url, headers=headers, json=payload, stream=True, timeout=60)

Tainted flow: 'url' from os.getenv (line 335, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(url, headers=headers, json=payload, stream=True, timeout=120)
        
        if response.status_code != 200:
            print(f"\n❌ 请求失败,状态码:{response.status_code}")
Confidence
90% confidence
Finding
response = requests.post(url, headers=headers, json=payload, stream=True, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes access to environment variables, local files, networked APIs, and shell execution (`uv run python`), yet no explicit permissions are declared. This creates a trust gap where a host may expose more capability than users or reviewers expect, increasing the risk of credential access, unintended file reads, or outbound data exfiltration through the BytePlan API flow.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The installation guide instructs users to create a `.env` file containing BytePlan API credentials but provides no guidance on protecting, excluding, or rotating those secrets. In a skill that accesses external APIs, this increases the chance that credentials are committed to source control, copied into logs, or left on disk insecurely, enabling unauthorized access to the associated BytePlan environment.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough to overlap with common user requests such as generic data analysis or chart generation, which can cause the skill to activate unexpectedly. When combined with network access and credential-backed API use, accidental invocation may send user queries or internal data requests to an external service without sufficiently explicit user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal