ClawHub

Mysteel_BidSupply

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by querying Mysteel steel supply, demand, and bidding data, but users should treat its saved API key as a plaintext local secret.

Install only if you are comfortable sending steel procurement, supply, demand, and bidding searches to Mysteel. Use a dedicated or low-privilege Mysteel API key if possible, keep references/api_key.md out of shared or synced workspaces, delete it when no longer needed, and rotate the key if the workspace may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script can persist an API key to a local markdown file under the skill directory, creating a plaintext secret-at-rest risk. This is not necessary for the core query functionality and increases exposure to accidental disclosure via local file reads, packaging, backup, source control inclusion, or other skills/processes accessing the workspace.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description and activation conditions are broad enough to match common procurement, sales, and project-discovery queries, which increases the chance the skill is invoked when not specifically intended. Over-broad triggering can route unrelated business requests into a skill that performs network calls and uses stored credentials, expanding the attack surface and risking unnecessary data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to save an API key into a local markdown file without any warning about plaintext secret storage, access controls, or rotation. Storing credentials in an easily readable file creates a realistic risk of credential disclosure through local file access, logs, backups, or accidental sharing, which could lead to unauthorized API use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes the API key in plaintext to a predictable local file without any warning, access control, or permission hardening. On shared systems or in repos/workspaces with broad access, this can expose reusable credentials to other local users, backup systems, or accidental commits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal