ClawHub

Brand Monitor - 品牌舆情监控

Security checks across malware telemetry and agentic risk

Overview

This is a real brand-monitoring skill, but it needs Review because it combines shell execution, third-party reporting, and retained monitoring data without enough safety controls.

Review before installing. Use only with trusted brand names and configuration values, protect SERPAPI_KEY and Feishu webhook URLs as secrets, restrict who can invoke the skill, and avoid enabling scheduled runs, Feishu/SMS alerts, or memory retention until you are comfortable with what data will be sent and stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares only allowed tools but the documentation indicates broader effective capabilities including shell execution, environment/config access, and network egress. This creates a transparency and review gap: operators may approve the skill as low-risk monitoring while it can invoke code paths and outbound communication that are not clearly permission-scoped.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
There is a material description-behavior mismatch: the skill is presented as a monitoring/analysis tool, but the documented behavior and accompanying codebase reportedly include third-party search dependence, webhook configuration, packaging/release scripts, and incomplete implementation of the promised analysis. Such mismatches undermine informed consent and can hide data flows or operational behaviors that users and reviewers did not agree to.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The release notes state that the skill does not store sensitive information, but the documented setup requires users to handle a SerpAPI key and a Feishu webhook, both of which are sensitive secrets. This creates a misleading security claim that may cause users to underestimate credential exposure and mishandle configuration files, logs, or shared environments.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The skill requires a Feishu webhook and sends reports externally, but the user-facing description frames the capability mainly as monitoring. Without a prominent disclosure, sensitive brand monitoring results, account identifiers, or incident details may be transmitted off-platform unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The prompt instructs the agent to immediately push alerts to Feishu, mention users, optionally send SMS, and create follow-up tasks. That expands the skill from passive monitoring/analysis into taking external actions, which can cause unintended notifications, operational disruption, or spam if the analysis is wrong or manipulated by adversarial content.

Description-Behavior Mismatch

Low
Confidence
78% confidence
Finding
The prompt goes beyond monitoring by generating suggested public-facing reply templates and response strategies. While not inherently malicious, this broadens the skill into quasi-PR automation, which increases the chance of unsafe, inaccurate, or legally problematic responses being drafted from noisy or unverified social content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The prompt extends a brand-monitoring analysis task into outbound delivery via a Feishu webhook, which creates an external data exfiltration path not clearly disclosed by the skill’s stated purpose. Even if the report is business-related, sending generated analysis off-platform without explicit user approval or destination validation can leak sensitive internal monitoring results.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The skill stores derived trend-analysis outputs back into memory, expanding behavior from retrieval/analysis into persistent retention. This can create unnecessary long-term storage of potentially sensitive business intelligence and user-derived data, especially when users are not informed that new records will be written.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Outbound Feishu webhook use is not inherently malicious, but in this skill it is not clearly justified as necessary for basic brand mention monitoring and analysis. Because webhook delivery can transmit compiled trend intelligence to arbitrary external endpoints, it increases the risk of unauthorized disclosure if misconfigured or abused.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The prompt expands the skill from monitoring/analysis into external report delivery and persistent storage, causing data exfiltration and retention behaviors beyond the stated scope. That matters because the collected content may include URLs, author metadata, sentiment judgments, and alert classifications that users may not expect to be transmitted or stored automatically.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The README explicitly promotes collecting brand mentions from multiple domestic platforms and pushing reports to Feishu, but it does not clearly warn users that collected content, summaries, or metadata may be transmitted to third-party services such as SerpAPI, Feishu, and the configured LLM provider. This is a genuine security/privacy weakness because operators may unknowingly send potentially sensitive monitoring data off-platform without understanding the data flow or retention implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to configure a Feishu webhook for alert delivery, which means monitored content will be transmitted to an external service. Without an explicit warning about outbound data sharing, users may unknowingly send sensitive brand-monitoring results, internal terms, or incident-related content to third parties.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The setup instructions tell users to place a SerpAPI key in environment variables but do not include basic credential-handling warnings. While this is common practice, omitting guidance increases the chance of accidental exposure through shell history, screenshots, shared terminals, or unsafe persistence in profile files.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation phrases are broad enough to match ordinary conversation about monitoring, analysis, trends, reputation, or brand mentions. Over-broad triggers can cause unintended execution, leading to surprise network activity, crawling, or external webhook reporting without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation does not prominently warn users that monitoring results will be transmitted to an external Feishu webhook. This creates a consent and data-handling risk because users may provide sensitive monitoring targets or findings under the assumption processing stays local.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide tells users to register for SerpAPI, obtain an API key, and run searches against a third-party provider, but it does not disclose that brand names, search terms, timing, IP/proxy metadata, and other request details will be transmitted to SerpAPI and potentially upstream search engines. In a brand-monitoring skill, those queries may contain sensitive business interests or customer-related terms, so the omission creates a real privacy and data-governance risk even if it is not overtly malicious.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code sends user-supplied search queries to SerpAPI, a third-party service, but only prints operational status and setup hints rather than clearly warning users that their queries and related metadata will leave the local environment. In a brand-monitoring context, search terms may contain sensitive business interests, incident terms, competitor names, or internal watchlists, so undisclosed third-party transmission creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs immediate alerting and persistent storage of detailed content, usernames, profile links, follower counts, and engagement data, but provides no privacy minimization, retention limits, or user-impact safeguards. In a monitoring skill that ingests third-party social data, this creates meaningful privacy, compliance, and misuse risk, especially when records are retained and redistributed across messaging systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt instructs the agent to push the generated report to a Feishu webhook without any user-facing warning that analyzed data will leave the system. This lack of transparency undermines informed consent and can expose confidential brand monitoring insights to third-party services or unintended recipients.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt directs the agent to save derived analysis results to memory without notifying the user that additional persistent records will be created. Undisclosed retention of business analysis can create privacy, governance, and data lifecycle risks, especially if the memory store is later queried by other workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow stores detailed monitoring results, including top mentions and alert lists, without any explicit notice or consent regarding retention. This creates a privacy and governance risk because collected third-party content, author details, and generated classifications may be retained longer than necessary and reused outside the immediate task.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The prompt sends monitoring reports to a Feishu webhook without clearly warning the user that collected content and analysis will be transmitted to an external service. This is dangerous because it can silently disclose scraped content, links, sentiment labels, and possibly author metadata to a third-party destination outside the agent environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide recommends persisting the SERPAPI key in ~/.bashrc, which increases the chance of credential exposure through shell history, dotfile syncing, backups, shared accounts, or accidental disclosure. While this is common operational guidance rather than overtly malicious behavior, it normalizes long-lived secret storage without any warning or safer alternative.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example includes a Feishu webhook URL in config without noting that webhook URLs function as bearer secrets and can be abused by anyone who obtains them to send unauthorized messages to the target group. In a skill that encourages config editing and sharing examples, omission of this warning materially raises the risk of accidental leakage via repos, screenshots, or logs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The systemd example embeds the API key directly in a service unit, which can expose credentials through readable unit files, configuration management systems, backups, or administrative inspection. In context this is more dangerous than the shell example because service files are often centrally managed, copied, and inspected across systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal