ClawHub

Brown Dust 2

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised Brown Dust 2 automation, but it handles a reusable account access token in ways users should review carefully.

Install only if you trust this skill with your Brown Dust 2 web-shop session. Do not paste access tokens into chat or screenshots; prefer local-only setup, delete the saved .token file when finished or on shared devices, and confirm each sign-in or redemption run before allowing account actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes scripts with network, shell, file read, and file write behavior but does not declare permissions or boundaries to the user. Hidden capability scope reduces informed consent and can lead to over-privileged execution, especially for an automation skill that handles credentials and external requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README tells users to extract an access token from browser storage and save it via a CLI command, but it does not warn that the token is a sensitive bearer credential equivalent to account access. This encourages insecure handling such as shell history exposure, screenshots, clipboard leakage, or plaintext local storage, which could allow anyone with the token to perform authenticated actions on the user's account.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list includes broad terms such as '签到', 'redeem', and 'brown dust', which may activate the skill in unintended contexts. Accidental invocation is risky here because the skill performs external actions and may handle stored tokens or redeem codes automatically.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation rules rely on partial keyword matching without clear exclusions, making invocation ambiguous. In a skill that signs into services and redeems codes, ambiguous triggers can cause unintended account actions or use of stored credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to extract an access token from browser local storage and save it, but provides no warning that this is a sensitive credential equivalent to account access. It also suggests manual disclosure of the token to the agent if extraction fails, increasing the chance of credential exposure, retention, or misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent and user to extract and persist an access token, but it provides no warning that the token is a sensitive session credential or guidance on minimizing exposure. In this context, the token appears sufficient to perform account actions, so mishandling it could enable unauthorized sign-in automation or other account activity if leaked via logs, chat history, or local storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-provided game identifiers and redemption codes to external endpoints, but its user-facing flow does not clearly disclose that data will be transmitted to third-party services. This creates a privacy and informed-consent issue: users may not realize their nickname is being sent both to the coupon redemption API and, indirectly, that codes are sourced from an external website they may not trust.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script persists the player's nickname to a local dotfile without clearly warning the user in advance. While the data is not highly sensitive by itself, silent local storage can surprise users, leak identity information to other local users/processes, and violate expectations around consent and transparency.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists a bearer access token to a local .token file, which creates a reusable credential at rest on disk. Although it sets restrictive file permissions (0600), there is no explicit warning, no encryption, and no use of a system credential store, so users may unknowingly leave a high-value session token recoverable by local malware, backups, or other processes running as the same user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script tells users to extract an access token directly from browser localStorage and use it in the tool, but it does not warn that this token is effectively a bearer credential that can authorize account actions. This increases the chance of users mishandling, copying, logging, or sharing the token, which could enable account misuse if exposed.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions explicitly direct the agent to obtain a user's access token from browser storage and persist it, or ask the user to paste it manually. This is highly dangerous because access tokens are bearer credentials; anyone who obtains them may act as the user until expiry, and agent-side storage broadens the attack surface substantially.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to always show complete output increases the chance that sensitive values from scripts, browser evaluation, errors, or saved-token operations are echoed back to the user or captured in logs. Because this skill handles session tokens and account identifiers, unrestricted output disclosure materially raises the risk of credential leakage and account compromise.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the user to retrieve their access token from browser localStorage and paste it as plain text. This is highly dangerous because the token is a bearer credential; once exposed in chat transcripts, clipboard history, screenshots, or logs, anyone with access can potentially act as the user on the Web Shop.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal