ClawHub

Bce Cert Skill Pkg

Security checks across malware telemetry and agentic risk

Overview

The certificate tool mostly does what it claims, but the package also includes an unrelated Gitee publishing script with a hardcoded token and privileged automation surfaces that need review before use.

Review before installing. Remove upload_skill.py from the package, rotate or revoke the exposed Gitee token if it is real, use a least-privilege Baidu DNS key limited to the target zone, protect config.conf and the skill directory from untrusted writes, avoid RENEW_HOOK unless the command is fully trusted, and run scheduled renewal under the least-privileged account that can perform the task rather than SYSTEM where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
renew_hook = cfg.get("RENEW_HOOK", "").strip()
    if renew_hook:
        log.info("执行续期钩子: %s", renew_hook)
        ret = subprocess.run(renew_hook, shell=True)
        if ret.returncode != 0:
            log.warning("续期钩子执行失败(返回码 %d)", ret.returncode)
Confidence
98% confidence
Finding
ret = subprocess.run(renew_hook, shell=True)

Tainted flow: 'data' from pathlib.Path.read_bytes (line 37, file read) → requests.put (network output)

High
Category
Data Flow
Content
time.sleep(1)
    
    if sha:
        r = requests.put(
            f'https://gitee.com/api/v5/repos/{REPO_FULL}/contents/{fname}',
            json=data, headers=headers, verify=False, timeout=30
        )
Confidence
95% confidence
Finding
r = requests.put( f'https://gitee.com/api/v5/repos/{REPO_FULL}/contents/{fname}', json=data, headers=headers, verify=False, timeout=30 )

Tainted flow: 'data' from pathlib.Path.read_bytes (line 37, file read) → requests.post (network output)

High
Category
Data Flow
Content
json=data, headers=headers, verify=False, timeout=30
        )
    else:
        r = requests.post(
            f'https://gitee.com/api/v5/repos/{REPO_FULL}/contents/{fname}',
            json=data, headers=headers, verify=False, timeout=30
        )
Confidence
95% confidence
Finding
r = requests.post( f'https://gitee.com/api/v5/repos/{REPO_FULL}/contents/{fname}', json=data, headers=headers, verify=False, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions even though its documented behavior and referenced commands imply access to environment variables, local files, network services, and shell execution. This creates a transparency and consent problem: users may invoke the skill without understanding that it can read secrets from config files, write certificate material, contact external services, and register scheduled tasks. In a credential-handling certificate automation tool, undeclared capabilities are especially risky because it processes API keys and private keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is DNS-based Let's Encrypt certificate management, but the analyzed behavior reportedly also uses a hardcoded Gitee API token to create repositories and upload local files such as SKILL.md, README.md, and directory contents to a remote Gitee repository. That is a serious hidden exfiltration/backdoor pattern unrelated to certificate issuance, and it could leak configuration files, credentials, private keys, or other sensitive local content to an attacker-controlled remote service. Because this is a cert-management skill, the surrounding context makes the mismatch more dangerous: the environment is likely to contain BCE API credentials and TLS private keys.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly supports executing an arbitrary shell command from configuration after renewal, which exceeds the core purpose of DNS-based certificate issuance and creates a command-execution extension point. In practice, this turns a certificate automation tool into a general command runner, so config compromise or unsafe user input can lead to full system command execution.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's primary behavior is creating a Gitee repository and uploading local skill files, which does not match the declared functionality of managing Let's Encrypt certificates via Baidu Cloud DNS. Such capability mismatch is a strong indicator of hidden or undeclared behavior and materially increases the likelihood of unauthorized code or data publication.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code embeds capability to interact with Gitee's content API, including authentication and file uploads, despite the skill's certificate-management purpose not requiring code-hosting access. Unjustified external publishing capability expands attack surface and can be used to exfiltrate local files or silently publish code artifacts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automatically creating a remote repository on execution is unrelated to certificate issuance and indicates undeclared external side effects. Even if intended for packaging, performing this action inside the skill creates surprising behavior and can facilitate unauthorized publication of project contents.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring explicitly states that the file uploads a skill package to Gitee, contradicting the overall documented purpose of DNS-based certificate management. This mismatch is not just documentation drift; in context it accurately signals unrelated network publishing behavior that users would not reasonably expect from this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage section exposes broad natural-language trigger phrases such as applying for certificates, checking status, and configuring renewal without any documented activation constraints, confirmation requirements, or scope limits. In an agent setting, vague triggers can cause the skill to run during ordinary conversation and perform sensitive infrastructure actions like DNS modification or certificate issuance unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script uploads local files to an external service without prompting, warning, or obtaining consent from the operator. Silent outbound transfer is dangerous because users may execute the script expecting certificate automation, not publication of local repository contents to Gitee.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Repository creation happens immediately when the script runs, with no confirmation or warning. This creates an unexpected remote side effect and can establish external storage for subsequent uploads without the user's informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal