ClawHub

Trend Radar

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it embeds a Weibo session cookie and includes cron-based persistence that deserves review before installation.

Install only if you are comfortable with a network-enabled trends tool that can optionally create recurring cron jobs. Review or remove the hard-coded Weibo cookie before use, and avoid using the scheduler unless you explicitly want persistent daily execution and know how to list or remove the cron entry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The manifest grants shell execution for Python and direct crontab access, which materially exceeds a simple read-only trend lookup and enables persistent system modification. In this context, the presence of file-write, network, and shell capabilities without clear upfront justification increases risk because a user asking for 'trends' may unknowingly invoke code that can alter local state and schedule recurring tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a real-time aggregator, but it also manages persistent cron jobs and writes briefing data to local files, which are materially different behaviors from the declared purpose. This mismatch is dangerous because users and reviewers may consent to transient data fetching while unknowingly granting a skill the ability to establish persistence and modify the host environment.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The README advertises a cron-based daily briefing manager, which expands the skill from an on-demand trend lookup into a persistent scheduled task. That broader capability can create unexpected autonomous behavior, periodic network access, and possible data exfiltration or spam-like activity that users did not intend when installing a trigger-based aggregator skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README advertises a scheduled push capability even though the skill is described primarily as an on-demand trend aggregation tool. In an agent environment, background scheduling expands the skill from user-triggered retrieval into persistence and autonomous execution, which increases attack surface, can create unexpected outbound network activity, and may violate least-privilege or user-consent expectations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented workflow mixes ordinary live-fetch functionality with persistent scheduling, but the manifest framing does not prepare the user for host-level persistence. That gap matters because scheduled execution can continue after the initial interaction, expanding the blast radius from a one-time query to repeated unattended execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Cron job management is a persistence mechanism and is not necessary for answering ad hoc trend queries. In the context of a broadly triggered skill, this makes the capability more dangerous because a benign-looking content utility is granted system-level scheduling power that could be abused or misused beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata describes a real-time trend aggregator, but this file adds functionality to modify the user's system crontab and create persistent scheduled execution. That scope expansion is dangerous because it grants persistence and system-level side effects unrelated to simply fetching trends, increasing the blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code uses system cron to establish persistent execution, which is a strong capability for a skill whose stated purpose is trend aggregation. Persistent scheduled execution can repeatedly run code without further user interaction, making accidental misuse, unexpected data collection, or later abuse substantially more dangerous.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The HTML fallback includes a hard-coded Weibo session cookie, which means the skill is no longer performing purely public unauthenticated scraping. Embedding session material in source code can leak or reuse someone else's authenticated context, create undisclosed third-party account dependence, and expose the operator to account abuse, blocking, or unintended access scope if the cookie remains valid.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file advertises 'public' and 'zero API key' scraping, but the fallback actually sends a session cookie. That mismatch is security-relevant because it conceals that the code depends on credential-like material, which can mislead reviewers and users about the trust, privacy, and authorization model of the skill.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The trigger examples include generic phrases such as 'trend', 'trends', and 'what is trending/hot', which may overlap with normal conversation and cause unintended activation. In a skill that performs live multi-platform fetches, accidental invocation can leak user intent to external services or trigger unnecessary network activity without clear consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The documented trigger phrases are broad everyday terms such as 'trends', '热搜', and '今天有什么热点', which are likely to appear in normal conversation. This can cause unintended invocation of a network-enabled skill, leading to surprise data fetching, context hijacking, or the agent choosing this skill when the user only meant to ask a generic question.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger rules include broad current-events language such as 'what's happening,' which can cause the skill to activate for generic news or context questions the user did not intend to route through this tool. Because the skill can perform network access and potentially expose users to additional tool actions, overbroad invocation increases the chance of unintended execution and surprise side effects.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manifest description embeds generic trigger phrases like 'what is trending/hot,' which can over-match ordinary conversation and cause accidental activation. In a skill with network and shell-backed implementation, ambiguous routing is more dangerous than in a pure informational prompt because it may invoke code and external requests without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scheduled briefing commands are presented as ordinary options without warning that they modify the user's crontab and create persistent background behavior. This is dangerous because users may copy or approve the commands without understanding they are installing a recurring task that survives the current session and may write data locally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs persistent system changes by writing or removing cron jobs without any interactive confirmation or prominent warning. This is risky because users may invoke the command expecting a temporary trend fetch and instead alter long-lived execution state on their machine.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hard-coded session cookie in an outbound request is effectively a secret embedded in source code without disclosure or rotation controls. If valid, it could allow unauthorized reuse of an account session, tie traffic to a third party identity, and create legal, privacy, or operational risk for anyone running the skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal