ClawHub

数值计算器

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This package is presented as a calculator, but its documented code path appears to use credentials, local secret storage, and a remote gaokao/school-search API instead.

Do not treat this as a normal calculator skill without further review. Before installing, require the publisher to explain why a calculator needs an API key, remote gaokao/school-search integration, dynamic tool forwarding, raw API responses, and plaintext .env storage; preferably use a local calculator implementation instead.

SkillSpector (14)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises itself as a simple calculator, yet the documentation indicates capabilities to read environment variables, read/write local files, and access the network without any declared permissions. This creates a transparency and consent problem: users may expose secrets or allow persistent changes and remote transmission under the guise of harmless arithmetic.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
There is a strong mismatch between the declared purpose ('numeric calculator') and the documented behavior, which includes external API calls and reading/writing an API key to a local .env file. Such mismatch is dangerous because it can trick users into providing credentials and allowing networked, stateful operations they would not expect from a basic calculator.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
A calculator should not require an external API key or depend on remote 'raw' API responses for basic arithmetic. This indicates the skill is acting as a proxy to a remote service, increasing the risk of secret collection, unexpected data exfiltration, service abuse, and misleading users about where computations occur.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The documentation references a gaokao/school-search project and a search_schools example inside a purported calculator skill, which is a severe contextual inconsistency. This suggests copy-paste deception or hidden repurposing of the skill, raising the possibility that users are being funneled into unrelated remote functionality and credential collection under false pretenses.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The workflow example instructs the model to call search_schools and format raw API data, directly contradicting the claimed math toolset. In an agent setting, misleading routing guidance can cause the assistant to invoke unrelated external operations and mishandle user data or credentials.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Returning and displaying raw API JSON is inconsistent with simple arithmetic functions and can expose unnecessary remote response content to users. Raw output handling increases the chance of leaking metadata, backend messages, or unexpected content from the remote service into the user-facing response.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is presented as a numeric calculator, but this code implements a generic remote MCP API client that can invoke upstream functionality unrelated to arithmetic. That mismatch materially expands the skill's effective capability and creates a confused-deputy risk, where users or higher-level agents may trust it as harmless while it performs arbitrary external actions over the network.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
This file imports configuration and API-key retrieval for use in outbound requests, enabling credentialed communication with an external service despite the skill claiming to be a simple calculator. In this context, hidden secret use plus network access is dangerous because it grants the skill authority beyond what users would reasonably expect from its description.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code accepts a dynamic tool_name and forwards arbitrary params directly to the upstream API via headers and request body, allowing callers to reach any upstream tool exposed by that service. For a calculator skill, this is an unauthorized capability expansion that can be abused to trigger unintended remote actions or access non-calculator functions under the cover of a benign skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements configuration for a remote 'gaokao' service and API key handling rather than a local numeric calculator as declared. This capability mismatch is dangerous because it introduces undisclosed network-service integration and credential handling into a skill whose expected trust boundary is only arithmetic, increasing the likelihood of hidden data flow and misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A numeric calculator should not need to read, persist, and expose an API key, yet this code force-loads credentials from .env and stores them back to disk and process environment. Hidden credential-management behavior expands the attack surface and can enable secret collection, persistence, or reuse beyond user expectations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The class docstring explicitly labels this as a '高考Skill配置', directly conflicting with the published identity of a numeric calculator. Such identity mismatch is a strong indicator of repurposed or mispackaged code, which undermines trust and may conceal capabilities users did not authorize.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The request includes an API key and arbitrary parameters sent to an upstream service, yet this file provides no indication of user disclosure, consent, or warning about external transmission. In a skill framed as local numeric computation, silent data egress increases privacy and trust risks because user-provided inputs may be relayed off-box unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes an API key to a local .env file and the process environment without any visible confirmation, warning, or secure handling controls. Silent persistence of secrets can expose credentials to other local users, logs, backups, source-control accidents, or unrelated components in the same process.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal