ClawHub
Back to skill

Security audit

Deployment Workflow

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad automation package with real deployment features, but it also contains unrelated crawling, mandatory third-party telemetry, and high-impact browser/admin automation that users should review before installing.

Install only if you intentionally want this skill to control Telegram workflows and a browser session for the named groups and admin site. Before use, remove or isolate the 51cg crawler, disable or approve the Umami telemetry, use a dedicated browser profile with no unrelated logins, and require confirmation or a dry run before bulk moderation actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares broad operational behavior including shell commands, filesystem access, network communication, and message automation, but does not declare permissions. This prevents informed review and makes it easier to hide risky actions such as external calls, persistent data writes, and automated group monitoring behind an apparently simple deployment skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
There is a significant mismatch between the stated purpose of workflow deployment and the broader behavior described by analysis, including external site access, local data collection/storage, report generation, and third-party telemetry. Behavior that exceeds the declared purpose is dangerous because reviewers and users may approve the skill under false assumptions while hidden or unrelated functions process sensitive data or interact with risky domains.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file is a standalone crawler that visits an unrelated third-party site and extracts decrypted images, which is materially inconsistent with the declared deployment-workflow skill purpose. Capability mismatch is dangerous in agent skills because it can hide covert data collection, policy-evading scraping, or unauthorized content acquisition behind an innocuous manifest.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header explicitly states the script is for decrypting and extracting images from 51cg, directly contradicting the published skill description. Such contradiction increases suspicion because it suggests the package contains hidden or repurposed functionality unrelated to user expectations, undermining trust and informed consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code launches a browser, navigates to a remote site, enumerates images, and bulk extracts embedded base64 content to local files, none of which is justified by a deployment automation skill. In this context, the hidden scraping behavior is risky because it enables undisclosed external communication and content harvesting using the agent runtime.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill mandates execution-time analytics reporting to external scripts on every run, even though telemetry is not necessary for core deployment functionality. Forced outbound reporting creates an undisclosed data flow to a third party and may leak execution metadata, environment details, usage patterns, or error content.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Requiring start/end/error event reporting for each execution is an unjustified capability for a deployment workflow and expands the attack surface without operational necessity. Error-reporting commands are especially risky because they may transmit sensitive failure details, tokens, file paths, or internal environment information to an external service.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file’s documented behavior and implementation do not align with the declared skill purpose of deployment automation. A mislabeled skill that actually monitors chat content, visits extracted URLs, and writes persistent logs can bypass operator expectations and review controls, increasing the chance that risky browser automation and data handling are enabled in an inappropriate context.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implemented behavior is materially different from the advertised deployment workflow function: it processes message text, fetches external URLs via Playwright/CDP, inspects page content, and stores results to local memory. This mismatch is dangerous because security decisions are often based on declared scope; hidden or unrelated capabilities can be abused for unintended network access, data collection, or SSRF-like probing through the local browser/CDP environment.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code connects to a local CDP endpoint and automatically opens attacker-influenced external URLs in a browser context. Even though there is some domain filtering, using browser automation against untrusted links can expose internal network reachability, browser/session context, and local services accessible from the browser, making this capability significantly more dangerous than ordinary HTTP fetching in the stated skill context.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script targets a specific third-party admin panel by name, searches existing browser tabs for that service, and prints page content from the authenticated session. That behavior is inconsistent with the declared deployment-workflow purpose and creates a direct risk of unauthorized inspection and exfiltration of sensitive administrative data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Connecting over CDP to a live local browser allows the code to attach to an already authenticated browser context and access open admin pages without reauthentication. Reading and printing the DOM of an admin interface can expose credentials, tokens, internal data, or operational controls, especially because the capability is unrelated to the advertised skill purpose.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file's behavior does not match the declared skill purpose: instead of implementing deployment automation, it performs health-checking of external landing and download pages for named apps. This capability mismatch is dangerous because it can conceal undeclared external monitoring activity inside a seemingly unrelated skill, reducing transparency and increasing the likelihood of misuse or operator surprise.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script uses Playwright over a CDP connection to open browser pages and access external domains unrelated to the stated deployment workflow. In context, this is more dangerous because the hard-coded app names and download/landing-page checks suggest covert external reconnaissance or maintenance of third-party distribution infrastructure, which is undeclared and could facilitate abuse or policy evasion.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This file unconditionally sends skill execution telemetry to an external domain, including skill identifiers, version, install time, event type, and optional error text, despite the skill being described as a deployment workflow rather than an analytics-enabled product. The hidden outbound reporting creates a transparency and privacy risk, and the mismatch between declared purpose and actual behavior makes the capability more suspicious in this context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill contains a hard-coded telemetry reporting mechanism to https://umami.thousandrealms.win/api/send that is not justified by the stated deployment-management functionality. Even if the payload is not highly sensitive on its face, undisclosed network egress to a third party expands the attack surface and can facilitate tracking, profiling, or future data collection changes without user awareness.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script sends execution telemetry to a third-party Umami endpoint even though the skill is described as a deployment workflow, not an analytics-enabled product. This creates an undisclosed data egress path and weakens user trust because execution metadata is transmitted without clear consent or necessity for the stated functionality.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The external reporting behavior is not justified by the skill's declared deployment-workflow function, so it represents unnecessary outbound communication. Even if the payload appears limited, hidden network transmission can expose operational metadata and establishes a covert channel for future expansion.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file presents itself as a counting/auditing script, but the implementation actually performs moderation actions by clicking every visible "通过" control on an admin site. This mismatch is dangerous because it can deceive operators or reviewers into running code that silently approves user-generated content in bulk, potentially bypassing intended human review.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The declared skill context is a one-click deployment workflow, but this file automates comment moderation against a specific administrative backend and persists moderation statistics locally. In an agent-skill ecosystem, that kind of hidden scope expansion is risky because it can cause privileged browser sessions to be repurposed for unrelated administrative actions without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script creates local directories and later writes downloaded image files without any explicit user-facing warning, quota check, or storage control. In an agent skill, undisclosed file creation can consume disk space, persist potentially inappropriate content, and violate user expectations about side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script makes an outbound connection to a third-party domain without explicit disclosure or consent. In a skill whose declared purpose is unrelated to web crawling, hidden network access is especially concerning because it can expose IP metadata, retrieve untrusted content, and bypass user expectations about what the skill contacts.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic trigger listens to group messages and activates on generic keywords like test-link related phrases, then extracts URLs, validates them, stores results, and reports back. Overly broad triggers can cause unintended surveillance, accidental processing of unrelated messages, and unapproved browsing of links posted in routine conversations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes automatic monitoring of group messages, link extraction, Playwright-based validation, and memory logging, but does not provide a clear privacy notice or data-handling policy. This is dangerous because message content, URLs, and derived results may contain sensitive operational information that is collected and retained without informed consent or retention limits.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The telemetry section requires sending execution events and error details to external scripts without warning users that usage data will be transmitted. Undisclosed outbound reporting is risky because it can expose operational metadata and failure contents to a third party outside the user's expected trust boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal