ClawHub
Back to skill

Security audit

Cue Buddy

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Cue template-authoring purpose, but it includes under-disclosed local file upload capability and automatic update-check behavior that users should review before installing.

Install only if you are comfortable giving the skill a Cue API key, allowing it to create or modify your Cue templates, run paid Cue research tests after confirmation, and make occasional GitHub update checks. Do not use it with confidential local documents unless you first remove or disable the file-upload helper and verify your agent will keep reference materials local.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (14)

Tainted flow: 'req' from os.environ.get (line 826, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req.add_header("Authorization", f"Bearer {api_key}")
    req.add_header("Content-Type", f"multipart/form-data; boundary={boundary}")
    try:
        resp = urllib.request.urlopen(req, timeout=timeout)
    except urllib.error.HTTPError as e:
        detail = e.read().decode("utf-8", errors="replace")[:400]
        raise CueAPIError(e.code, detail, "/file_server/upload") from e
Confidence
82% confidence
Finding
resp = urllib.request.urlopen(req, timeout=timeout)

Tainted flow: 'env' from os.environ.get (line 805, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
env = {"GIT_AUTHOR_NAME": "T", "GIT_AUTHOR_EMAIL": "t@t",
               "GIT_COMMITTER_NAME": "T", "GIT_COMMITTER_EMAIL": "t@t",
               "PATH": os.environ.get("PATH", "")}
        subprocess.run(["git", "init", "-q", "-b", "main", str(tmp)],
                       check=True, env=env)
        (tmp / "file.txt").write_text("hi")
        subprocess.run(["git", "-C", str(tmp), "add", "."],
Confidence
67% confidence
Finding
subprocess.run(["git", "init", "-q", "-b", "main", str(tmp)], check=True, env=env)

Tainted flow: 'env' from os.environ.get (line 805, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
subprocess.run(["git", "init", "-q", "-b", "main", str(tmp)],
                       check=True, env=env)
        (tmp / "file.txt").write_text("hi")
        subprocess.run(["git", "-C", str(tmp), "add", "."],
                       check=True, env=env)
        subprocess.run(["git", "-C", str(tmp), "commit", "-q", "-m", "init"],
                       check=True, env=env)
Confidence
67% confidence
Finding
subprocess.run(["git", "-C", str(tmp), "add", "."], check=True, env=env)

Tainted flow: 'env' from os.environ.get (line 805, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
(tmp / "file.txt").write_text("hi")
        subprocess.run(["git", "-C", str(tmp), "add", "."],
                       check=True, env=env)
        subprocess.run(["git", "-C", str(tmp), "commit", "-q", "-m", "init"],
                       check=True, env=env)

    def test_current_branch_returns_main_after_init(self) -> None:
Confidence
67% confidence
Finding
subprocess.run(["git", "-C", str(tmp), "commit", "-q", "-m", "init"], check=True, env=env)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares no permissions while explicitly directing the agent to use environment variables, local file reads/writes, shell execution, and outbound network access. This under-specifies the trust boundary and can cause hosts or users to grant a far broader execution surface than the manifest communicates, increasing the chance of unintended code execution, data exposure, or silent remote actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose frames the skill as a template-authoring helper, but the documented behavior extends to live remote research runs, replay, query rewriting, file upload workflows, catalog search, and self-upgrade. That mismatch can mislead users and orchestrators into invoking a skill with materially broader data-handling and execution behaviors than expected, which is especially risky because several of those actions contact remote services or alter local state.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill says private-data scenarios should be refused, yet it explicitly encourages users to provide internal SOPs, local files, and internal materials for drafting. Even if the intent is to keep those materials local, this creates a confusing and risky boundary that can lead users to paste sensitive internal content into an agent context that also has shell, file, and network capabilities.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A self-upgrade path that fetches code from GitHub and may invoke local git operations expands the attack surface well beyond template authoring. If the upstream repository, transport, or local checkout state is compromised, the skill can prompt users into pulling unreviewed code into their agent environment, creating a software supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill says private-data scenarios should be refused, yet it explicitly encourages users to provide internal SOPs, local files, and internal materials for drafting. Even if the intent is to keep those materials local, this creates a confusing and risky boundary that can lead users to paste sensitive internal content into an agent context that also has shell, file, and network capabilities.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata says it is for public-data template authoring/validation, but this file includes a generic local file upload capability. That broadens the tool surface beyond the declared scope and increases the chance the agent could be steered into transmitting private documents, which is particularly concerning because the skill description explicitly says to refuse private-data scenarios.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The example trigger phrases are broad enough that ordinary user requests like 'design a buddy for X' or '测一下我刚才那个搭子' could activate this skill unintentionally in agents that rely on loose natural-language routing. In this skill, accidental activation is more concerning because downstream verbs can create templates, test against live production APIs, and incur real charges if the agent proceeds without a strong confirmation boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the skill can write to the user's template library, pin templates as frequent, and run real paid research tasks, but the warnings are fragmented rather than presented as a prominent global risk notice. In a multi-agent setting, users may treat documentation examples as low-risk chat behavior and not realize that normal conversation can lead to persistent changes or billable API calls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The upload path reads a local file and sends it to a remote server with no explicit user-facing warning, confirmation, or classification check in code. In an agent context, this is dangerous because a user may not realize that a local document's full contents will leave the machine, and the skill's public-data-only framing makes such silent transmission more surprising and risky.

Session Persistence

Medium
Category
Rogue Agent
Content
| `+unfrequent <template_id>` | 取消"常用",从首页"常用"区移除 | 否 | `POST /api/templates/frequent` (`is_frequent=false`) |
| `+upgrade` | 检查并(经确认后)升级 skill 自身到 GitHub `main` 最新版。git clone 装的走 `git pull --ff-only`,copy 装的给手动指引;本地有未提交改动则 abort 不强覆盖。**注意:跟 `+update <template_id>`(改模板)语义完全不同** | 否 | (GitHub raw + `git pull`,**本地操作**) |

**全部已上线 verb**:`+author / +capabilities / +validate / +create / +list / +get / +update / +test / +tune / +frequent / +unfrequent / +upgrade`。

**`+upgrade` 与 session 启动 silent-check**:agent 加载本 SKILL.md 时,**建议**在跑任何 verb 前先 silent 跑一次:`python3 cue-buddy/scripts/update_skill.py --silent-check`。这是带 24h 冷却的轻量版本对比,落后时只在 stderr 打一行 `ℹ️ cue-skills/cue-buddy 有新版可用 vX → vY,运行 +upgrade 升级`,**不弹问、不阻塞、不自动 pull**。网络失败时静默跳过(下次再试)。冷却 timestamp 存 `~/.cue/last-update-check.json`。
Confidence
88% confidence
Finding
create / +list / +get / +update / +test / +tune / +frequent / +unfrequent / +upgrade`。 **`+upgrade` 与 session 启动 silent-check**:agent 加载本 SKILL.md 时,**建议**在跑任何 verb 前先 silent 跑一次:`python3 cue-buddy/s

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal