ClawHub
Back to skill

Security audit

PIPL-Compliance(PIPL合规工具)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local PIPL compliance helper, but it needs review because it auto-installs packages and several advertised compliance/document-generation features are demo-like or unreliable.

Install only in a virtual environment, review scripts before running quick-start.py, and install dependencies yourself if you need tighter control. Treat generated checks, reports, and privacy templates as examples requiring legal review, not production-ready compliance evidence. Avoid putting sensitive personal data into the optional API deployment unless you add your own transport security, logging, retention, and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("❌ pandas 未安装,正在安装...")
        try:
            import subprocess
            subprocess.run([sys.executable, "-m", "pip", "install", "pandas", "-q"], 
                          check=True, capture_output=True)
            print("✅ pandas 安装成功")
        except Exception as e:
Confidence
92% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "pandas", "-q"], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("❌ jinja2 未安装,正在安装...")
        try:
            import subprocess
            subprocess.run([sys.executable, "-m", "pip", "install", "jinja2", "-q"], 
                          check=True, capture_output=True)
            print("✅ jinja2 安装成功")
        except Exception as e:
Confidence
92% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "jinja2", "-q"], check=True, capture_output=True)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill claims data stays local on the user's device, but the same document includes remote repository cloning and a web API deployment example that can expose uploaded compliance data beyond a purely local context. This inconsistency can cause users to process sensitive personal information under false privacy assumptions, leading to unintended disclosure or regulatory violations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The template pre-populates broad categories of personal information processing, including payment card data, third-party cookies, and extensive automatic collection, without requiring the user to confirm whether those activities actually occur. In a PIPL compliance tool, this can cause organizations to publish inaccurate privacy notices that overstate lawful processing scope, mask data minimization obligations, and create legal/compliance exposure.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template defaults to marketing communications, personalized advertising, and promotion-related processing as standard purposes. In the context of a PIPL compliance assistant, this is dangerous because it may normalize optional, consent-driven processing as a default business activity and lead users to generate non-tailored policies that imply broader processing than is necessary or permitted.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template assumes collection from social platforms, partners, and public sources, which expands the perceived sources of personal information beyond what many organizations actually use. In a compliance-focused skill, this can mislead users into adopting overbroad disclosures, weakening purpose limitation and transparency expectations and potentially obscuring the need for separate notices, contracts, or consent flows for third-party sourced data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The version_control function contains a real implementation flaw: during construction of version_report, the expression for summary['update_required'] references version_report before it has been fully assigned. This can raise an exception and cause denial of service for callers invoking the function, while also misleading users because update/rollback behavior is only simulated rather than actually performed.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The CLI presents itself as performing scenario-specific PIPL compliance analysis, but it actually ignores real scenario inputs and always evaluates a fixed hard-coded dataset. In a compliance tool, this can mislead operators into believing a real assessment was performed, producing false assurances and potentially causing organizations to miss legal and security gaps.

Intent-Code Divergence

Low
Confidence
96% confidence
Finding
The code comments acknowledge that real deployments should load scenario data from arguments or configuration, yet the implementation still uses only example data. This mismatch increases the risk of operational misuse because users may assume the tool is complete and production-ready when it is not, leading to inaccurate compliance conclusions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The quick-start script includes package-installation capability that is unrelated to its stated purpose of demonstrating PIPL compliance features. This is dangerous because it grants the script system-modifying behavior and outbound dependency retrieval, increasing attack surface and creating a supply-chain risk pathway that users may not expect from a demo tool.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The dangerous-function detection logic is inverted and inconsistent with the comment claiming a smarter check. In particular, actual risky calls like exec(...) may be excluded from reporting, while benign textual occurrences may still be flagged, creating false negatives that can let code injection sinks pass unnoticed in a security-scanning tool.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The module claims to verify 'pure local operation', but it also actively executes other scripts from the project. In a security-checking context, this is dangerous because a user may trust the verifier as passive while it actually runs potentially unsafe code, expanding the attack surface during analysis.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script launches other project scripts automatically without any user-facing confirmation or opt-in. In a security tool, silent execution is risky because users may run the checker expecting inspection only, while the invoked scripts could perform unintended actions if they are compromised or behave unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The save_document method writes attacker-controlled content to an attacker-influenced output path and filename without path validation, confinement, or overwrite protections. In an agent context, if untrusted inputs can reach these parameters, this could enable arbitrary file write within the agent's OS permissions, potentially overwriting application files, planting misleading documents, or writing into sensitive locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal