ClawHub

Zhipu Tools Coding Plan

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned but needs Review because it can upload user-supplied local files or media to Zhipu/Z.AI APIs and has inconsistent billing/fallback behavior that could surprise users.

Install only if you are comfortable sending search queries, URLs, repository paths, and any selected local files/images/videos to Zhipu/Z.AI. Avoid using it on confidential documents or screenshots unless approved, keep .env limited to the Zhipu key, and be aware that some paths may use Legacy/direct APIs or shell fallback behavior that could consume account balance despite the free-tool messaging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities to access environment variables, invoke shell commands, and make network requests, yet no explicit permissions are declared. This weakens user and platform visibility into what the skill can do and increases the chance of over-privileged execution or accidental secret exposure, especially because the docs mention auto-loading `.env` and using API keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description understates the actual behaviors: the skill also reads local configuration via `.env`, reads repository structures/files, and performs video analysis in addition to image analysis. This mismatch can mislead users and orchestrators about data flows and trust boundaries, causing unanticipated transmission of local files, credentials, or other sensitive content to third-party services.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The documentation is internally inconsistent about whether file parsing is free under Coding Plan or Legacy-only and billed to account balance. This can cause users or agents to trigger chargeable operations under mistaken assumptions, creating financial risk and unsafe automation decisions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The wrapper reads every key/value pair from a local .env file and exports them into the process environment before invoking the Python tool. This broad environment injection is not constrained to the specific API key needed, so any accidental or attacker-influenced entries in .env can affect downstream program behavior or expose unrelated secrets to child processes.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises free Coding Plan tooling, but the implementation also exposes Legacy API paths such as vision and file parsing that can consume billable account resources. This can mislead users into sending data or invoking functions under a false assumption of zero cost.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The top-level documentation claims all functionality is currently free, while the vision path explicitly uses a reverse-engineered direct chat completions API and even notes billing may change. That mismatch increases the chance of unintentional cost exposure and undermines informed user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises web reading, repository file reading, and local file parsing, but it does not clearly warn users that supplied URLs, repo paths, and uploaded local files are transmitted to third-party Zhipu/Z.AI services. This creates a real privacy and data-handling risk because users may unknowingly send sensitive internal documents, private repository content, or confidential URLs to an external provider.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation mapping ties broad everyday phrases like '搜一下/查一下/找一下' to this external skill, which can cause unintended activation. In context, unintended activation is meaningful because the skill can perform network calls and may send user queries or linked resources to third-party endpoints without a deliberate tool choice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports transmitting local files and remote URLs for vision and file parsing, but the docs do not provide a clear, prominent privacy warning. This is dangerous because screenshots, documents, and videos often contain sensitive data, and local files are base64-encoded and sent to external services, expanding the risk of data leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script transmits a user-specified local file to a third-party API endpoint using curl, but it does not present any explicit warning, confirmation, or notice that file contents will leave the local environment. In an agent-skill context, this is security-relevant because users may assume a local parsing operation while the script actually exfiltrates potentially sensitive documents to a remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script forwards a user-supplied image path or URL and prompt to an external Python tool that is intended to call a remote vision API, but this file provides no explicit disclosure, confirmation, or privacy warning before transmitting that content off-host. In a tooling skill context, users may reasonably provide local screenshots, documents, or sensitive URLs, so silent exfiltration to a third-party service creates a real confidentiality and consent risk even if it is part of the advertised functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently loads and exports all variables from ../.env, including credentials, without notifying the user. In a skill context, this increases the risk of unintended secret propagation to invoked tools and makes credential handling opaque, which is especially risky because the skill advertises search/reader functionality rather than secret management.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The vision and file parser features upload local files or remote URLs to external Zhipu endpoints without an explicit warning that user data leaves the local environment. In an agent skill context, this can cause accidental exfiltration of sensitive local documents, images, or videos.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal