ClawHub
Back to skill

Security audit

Story Short Scan

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed market-scanning tool, but it also uses logged-in browser sessions and an admin token to query a management backend, which needs careful review before installation.

Install only if you are comfortable letting the agent use a logged-in Chrome session and query publisher/admin APIs for Black Rock data. Prefer public-page or user-supplied data modes unless you intentionally want authenticated collection, and avoid running it in a browser profile that contains unrelated sensitive sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly directs use of browser automation, WebFetch, CDP, and backend API access, which are network-capable behaviors, yet no permissions are declared. This creates a transparency and governance gap: users and policy layers cannot accurately evaluate or constrain what the skill will access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is public short-story trend scanning, but the documented behavior extends into authenticated access to a publisher/admin backend, token extraction from cookies, API calls, and local file output. That mismatch is dangerous because it can mislead users into authorizing or running a skill that reaches far beyond expected public leaderboard analysis.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs extracting a Bearer token from a logged-in Chrome session and using it to call a backend API. Accessing session-derived credentials to query non-public backend interfaces is a sensitive action that can expose privileged data, bypass normal UI expectations, and misuse an authenticated user's session.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The advanced browser automation guidance encourages reusing an already logged-in Chrome session to access data only visible after authentication. Even without explicit token extraction, this broadens the skill from public trend analysis into potentially sensitive account-scoped access, increasing the chance of over-collection or unintended exposure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script explicitly requires a manual login to an admin console, extracts the Admin-Token cookie from the browser session, and reuses it as a Bearer token to call a publisher management backend. That behavior materially exceeds the skill’s declared purpose of public short-story trend scanning and creates a credential-harvesting/data-access path into privileged internal systems.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Requiring authenticated admin-console access is unnecessary for the stated use case of analyzing popular short-story topics and indicates the skill is leveraging privileged access to internal catalog data. In this context, the mismatch between manifest and implementation is a strong sign of covert overreach and can expose non-public business data to the agent workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the operator to use a logged-in browser session and cookie-derived Bearer token, but does not clearly warn that this involves access to session credentials and potentially privileged backend data. Lack of explicit disclosure undermines informed consent and can cause users to expose account access beyond what they expected from a simple market-scanning tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/cdp-utils.js:26