ClawHub

Aicoo Share Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it gives an agent broad authority to publish Aicoo share links, expose visitor data, and edit remote note-backed policies with insufficient warnings.

Install only if you want an agent to manage Aicoo share links using your API key. Prefer folder-scoped, read-only links with sign-in required and short expirations. Avoid anonymous, never-expiring, write, edit, or calendar-write links unless you have reviewed exactly what will be exposed or changed. Confirm before uploading local folders, retrieving visitor identity data, or patching any note-backed policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill goes beyond creating and revoking share links by exposing visitor/contact analytics via `/os/network` and share listing endpoints. That broadens the data surface to include identities and interaction metadata of people using shared links, which can leak personal information and exceeds the least-privilege scope implied by a sharing utility.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises link-sharing but also performs direct note search and note content patching under 'Per-Link Policy Editing'. This introduces a hidden write primitive against general note content, enabling unintended modification of user data or policy text outside simple link management and creating a stronger capability than users would reasonably expect.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation says access is 'sandboxed' and 'inside isolated scope' while also allowing `notesAccess: write|edit` and calendar write permissions. That wording can mislead operators into underestimating the real effects of a shared link, causing oversharing or granting modification rights based on a false sense of safety.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger description is broad enough to match common requests about sharing, access, editing, or guest permissions, increasing the chance the skill activates in situations where the user did not intend to create or manage externally accessible links. In a security-sensitive skill that can publish access and change permissions, overbroad invocation raises the risk of accidental exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example instructs the agent to sync local files from `./investor-materials` to a remote service without any explicit warning, confirmation, or note about the sensitivity of investor documents. This can lead users to upload confidential fundraising materials, financials, or internal strategy documents without fully understanding the privacy, retention, or access implications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The example explicitly allows anonymous public access by setting `requireSignIn:false` but does not prominently warn that anyone with the link may access and query the shared agent. In the context of investor materials, this materially increases the risk of unintended disclosure of confidential company information and uncontrolled redistribution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API reference documents creation of anonymous public share links and collection of visitor analytics, including potentially identifying guest metadata, but it does not present an explicit privacy warning, consent expectation, or data-exposure caution to the user. In a sharing skill, this omission is security-relevant because operators may unintentionally expose an agent publicly or collect personal data from visitors without understanding the privacy implications.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal