ClawHub
Back to skill

Security audit

happynewyear

Security checks across malware telemetry and agentic risk

Overview

This skill appears to make the promised New Year fortune video, but it has risky implementation choices users should review before installing.

Review before installing, especially in shared or sensitive environments. Only use it after replacing embedded API keys with your own secure configuration, restoring normal HTTPS certificate verification, removing automatic pip installs in favor of pinned preinstalled dependencies, and informing users that their personal fortune inputs and generated text may be sent to external AI, image, and speech services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--quiet",
                "--root-user-action=ignore"
            ]
            subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
            time.sleep(1)
        except subprocess.CalledProcessError:
            cmd = [
Confidence
96% confidence
Finding
subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
*missing_libs,
                "-i", "https://pypi.tuna.tsinghua.edu.cn/simple"
            ]
            subprocess.check_call(cmd)

    if optional_missing:
        try:
Confidence
96% confidence
Finding
subprocess.check_call(cmd)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [sys.executable, "-m", "pip", "install", "imgkit",
                       "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
                       "--quiet", "--root-user-action=ignore"]
                subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
            elif "selenium" in optional_missing and "webdriver-manager" in optional_missing:
                cmd = [sys.executable, "-m", "pip", "install", "selenium", "webdriver-manager",
                       "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
Confidence
93% confidence
Finding
subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [sys.executable, "-m", "pip", "install", "selenium", "webdriver-manager",
                       "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
                       "--quiet", "--root-user-action=ignore"]
                subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        except Exception:
            pass
Confidence
94% confidence
Finding
subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while the metadata indicates capabilities for file I/O, network access, and shell execution. This creates a transparency and consent gap: users and platforms cannot accurately assess what the skill will do, and hidden network/shell behavior materially increases abuse potential if the implementation is unsafe or compromised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is simple video generation, but the described behavior includes sending personal data to external LLM/TTS/image services, auto-installing dependencies, exposing HTML as an output, and using hardcoded API keys. This mismatch is dangerous because it conceals third-party data disclosure, expands the attack surface, and suggests secrets-management and supply-chain risks not communicated to the user.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill self-installs Python packages and invokes subprocesses to do so during normal execution. That behavior is not justified by the declared purpose and creates a clear supply-chain execution path where remote package content can run code on the host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script globally disables TLS certificate verification and hostname checking for outbound HTTPS requests. This permits man-in-the-middle interception or tampering of API responses and downloaded media, which is especially dangerous because the skill also handles API keys and downloads remote content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill asks for personal attributes such as name, gender, birth date, personality, and wishes without providing any privacy notice or explaining how that data is used, stored, or shared. In this context, that omission is particularly risky because the skill is also reported to send data to external services, increasing the likelihood of unintended disclosure of sensitive personal information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code sends detailed personal data, including name, birth information, location, and user wishes, to a remote LLM API without explicit notice or consent handling in the script. This is a privacy and data-governance issue that becomes more serious because the data is sensitive and unnecessary to send without clear disclosure controls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends generated user-derived content to an external TTS endpoint without clearly informing the user that their data leaves the local environment. Even if the text is derived rather than raw input, it can still contain sensitive personal details inferred from the original prompt.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/happynewyear.py:94

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/happynewyear.py:204