ClawHub

Pipaclaw Skills Hub

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent workflow hub, but its promo-video helper scripts create and store backend credentials, contact a remote service, and expose broad file/API helpers without enough user-facing disclosure or scoping.

Review before installing if you are not comfortable with the promo-video workflow contacting nano.djdog.ai, sending the machine hostname, and saving an API key in ~/.config/maliang-hub. Only run the helper scripts on files you intentionally want to provide to the video backend, and confirm quotes before any paid generation or cloud project work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
A hub skill presented as a simple router should not implicitly have file read/write and shell-capable behavior without declaring permissions. Undeclared capabilities reduce auditability and can let downstream or hidden components access local files or execute commands under the guise of benign routing, increasing the chance of privilege misuse or data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior says this skill only routes users, but the detected behavior includes provisioning credentials, persisting auth data locally, making authenticated remote requests, polling jobs, requesting quotes, and encoding arbitrary local files to base64. That gap is dangerous because users and reviewers may authorize a low-risk router while it actually performs sensitive networked actions and can package local data for exfiltration.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The bootstrap script does more than local setup: it contacts a remote service, provisions an API key, persists that credential on disk, and exposes a recharge URL. For a hub/front-door skill whose stated purpose is routing, this is a materially broader capability that creates hidden trust and credential-management risk, especially because it happens automatically on first run.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script fingerprints the host using the machine hostname and transmits it to a remote provisioning endpoint. Even if the value seems low sensitivity, it is still a device identifier that can support tracking, account linkage, and user-environment profiling without clear necessity for a routing skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide shows a login command with a literal `--token '<TOKEN>'` argument, normalizing the practice of passing secrets on the command line. Command-line secrets can be exposed through shell history, process listings, terminal recordings, logs, or copied documentation, which increases the chance of credential leakage during publishing operations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default prompt tells the agent to 'use $ppt-maker' as a broad front door for multiple actions without clear trigger boundaries, authorization checks, or task-scoping constraints. In a routing skill, this can cause over-invocation, accidental activation for loosely related requests, and unsafe delegation into internal workers that may perform higher-risk actions than the user intended.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill declares very broad front-door triggers such as 'teaser', 'explainer', and generic requests like '帮我做一个视频', which can cause the router to invoke this skill for loosely related requests. In a hub skill that can quote costs, create projects, and start downstream media workflows, overbroad activation increases the chance of unintended capability execution or user confusion about what is being authorized.

Vague Triggers

Low
Confidence
72% confidence
Finding
The instruction to 'produce the smallest useful first step and keep moving' for vague requests lacks explicit boundaries on what actions are allowed before the user's intent is clarified. In this skill, that can lead to premature planning, quoting, or task initiation based on inference rather than confirmed user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt is broadly phrased to handle nearly any video-production request, including end-to-end project management, without stating boundaries, approval gates, or disallowed actions. In a routing/front-door skill, this can cause overbroad invocation and unintended activation for vague user requests, increasing the chance of misrouting, scope creep, or unsafe downstream automation.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file hard-codes a clarification question in Chinese regardless of the user's language, which can cause confusion, reduce informed consent, and degrade correct routing when users do not understand the prompt. In a front-door routing skill, this is more dangerous than a cosmetic issue because ambiguity resolution directly affects whether work is handled as a transient task or persisted project.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The `Showrunner` routing criteria are broad and subjective, such as 'brief is ambiguous' or 'production path must be selected', without explicit decision boundaries. In an orchestration skill, this can cause the dispatcher to invoke a high-authority coordinator too often, leading to incorrect workflow selection, over-broad task execution, or unintended access to downstream capabilities.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently provisions credentials over the network and writes them to disk without any user-facing warning, confirmation, or explanation. Hidden credential creation and persistence increase the chance of unexpected account creation, misuse of the issued key, and accidental trust in an external service the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accepts an arbitrary absolute path, reads the file bytes, and prints the full base64-encoded contents to stdout. Base64 is only an encoding, not a protection mechanism, so this can be used to exfiltrate any file the executing user can access, especially if upstream skill logic passes user-controlled paths.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal