ClawHub

weather-pre-verify

Security checks across malware telemetry and agentic risk

Overview

This paid weather skill is not clearly malicious, but its payment and credential flow needs review before use.

Review before installing. Only use this if you trust the publisher, the JD endpoints, and the exact payment helper skill. The agent should show the amount, payee, order details, destination service, and data being sent, then get explicit confirmation before payment or credential submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the assistant to include its internal reasoning in user-facing Chinese responses. Revealing chain-of-thought can expose hidden decision criteria, safety logic, and sensitive intermediate analysis that should remain internal, making prompt extraction and policy circumvention easier.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
该技能被描述为“支付验证/预校验”,但代码实际向远程接口发起了 createOrder 请求并生成订单号、金额、支付目标等支付交易数据。这会把本应是低风险的校验步骤变成真实的交易创建动作,可能在用户未充分知情或未明确确认的情况下触发付费流程,在付费型天气技能场景下风险更高。

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill handles payments, reads credentials, and sends data over the network, yet it does not clearly disclose what sensitive information is collected, where it is sent, how it is used, or what user consent is required. In a paid service context, this increases risk of unsuspecting disclosure of payment artifacts and credential-related data.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The metadata instructs the assistant to communicate in Chinese and include its thought process. The dangerous part is not the language choice itself, but the forced disclosure of internal reasoning, which can leak protected deliberation and increase susceptibility to prompt injection or policy evasion.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The body repeats the instruction to interact in Chinese and include internal thought process, reinforcing unsafe behavior. Repetition increases the chance an agent will follow the unsafe instruction despite higher-level policies, which makes the issue more dangerous in practice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
用户输入的 question 被直接发送到远程下单接口,而代码层面没有在调用点体现最小化收集、敏感信息提示或明确告知“输入内容会被发送给第三方服务”。在天气技能中,question 很可能包含位置、地址或其他个人信息;结合这是付费下单接口,数据泄露和超预期用途风险会放大。

Missing User Warnings

Medium
Confidence
97% confidence
Finding
代码直接打印完整的 body,响应中包含 orderNo、amount、encryptedData、payTo 等潜在敏感支付数据。若 stdout 被日志系统、调试平台或其他组件采集,这些信息可能泄露交易标识、收款信息或可被后续支付流程滥用的数据,在支付场景下尤其敏感。

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits a payment credential to a remote endpoint without clear user-facing disclosure, consent language, or minimization controls. In the skill context, this is more dangerous because the tool is explicitly a paid service and users may provide sensitive payment-related tokens without understanding they are being sent off-box to an external service, increasing privacy and credential-handling risk.

Ssd 3

High
Confidence
99% confidence
Finding
This is a direct instruction to reveal internal chain-of-thought across multiple parts of the skill. In the context of a skill that also processes payments and credentials, exposing hidden reasoning can leak safety heuristics, validation logic, or sensitive intermediate handling details, compounding the risk beyond a normal formatting issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal