ClawHub

skill-fixon-homepage

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real homepage chat bridge, but it exposes an agent-backed web service with weak authentication, session privacy gaps, and credential logging risks.

Review carefully before installing. Do not expose this service to the internet as-is; bind it to localhost or place it behind real authentication, fix the missing-Authorization bypass, remove or protect the sessions endpoint, validate session IDs, stop logging token-bearing URLs, and use only a public-purpose agent with limited privileges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires shell execution, filesystem access, network exposure, and likely environment/config handling. This is dangerous because operators may install or trust the skill without understanding its true capability and attack surface, which undermines review, sandboxing, and least-privilege controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a substantive security mismatch, not just a documentation issue: the described implementation exposes session metadata, stores visitor chat histories on disk, binds to 0.0.0.0, and may allow unauthenticated chat access while claiming context isolation and no sensitive-data exposure. These behaviors increase the risk of unauthorized access, privacy leakage, token disclosure, and remote abuse, especially for a public-facing homepage chat service.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The `/homepage/sessions` endpoint exposes all stored session identifiers, message counts, and activity timestamps without any authentication or authorization checks. In a multi-visitor homepage chat plugin, this enables conversation enumeration and leaks metadata about other users' interactions, which is not necessary for the stated feature and weakens visitor privacy.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code forwards the user's current message plus up to five prior messages to a gateway over WebSocket, but there is no visible user consent, disclosure, or privacy control in this skill. In the context of a homepage chat service for multiple visitors, undisclosed transmission of conversation contents to another service increases privacy and compliance risk, especially if users expect local handling only.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The plugin persists chat histories to local JSON files keyed by session ID without any visible retention notice, access control, or user-facing disclosure. For a public homepage chat system handling multiple visitors, silent storage of conversations can expose sensitive user content if the host is shared, backups are accessible, or files are later enumerated through other flaws.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script automatically reads an API key from the user's local config and sends it in an Authorization header during a test request, without requiring explicit confirmation or clearly warning that credentials will be transmitted. Although the destination is localhost, this still creates credential-handling risk if the local service is misbound, proxied, logged, or replaced by an unexpected process on the configured port.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.100.0
uvicorn>=0.23.0
pyyaml>=6.0
requests>=2.28.0
Confidence
93% confidence
Finding
fastapi>=0.100.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.100.0
uvicorn>=0.23.0
pyyaml>=6.0
requests>=2.28.0
pydantic>=2.0.0
Confidence
93% confidence
Finding
uvicorn>=0.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.100.0
uvicorn>=0.23.0
pyyaml>=6.0
requests>=2.28.0
pydantic>=2.0.0
Confidence
96% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.100.0
uvicorn>=0.23.0
pyyaml>=6.0
requests>=2.28.0
pydantic>=2.0.0
Confidence
93% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
uvicorn>=0.23.0
pyyaml>=6.0
requests>=2.28.0
pydantic>=2.0.0
Confidence
91% confidence
Finding
pydantic>=2.0.0

Known Vulnerable Dependency: fastapi — 3 advisory(ies): CVE-2021-32677 (Cross-Site Request Forgery (CSRF) in FastAPI); CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on standard ); CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
85% confidence
Finding
fastapi

Known Vulnerable Dependency: uvicorn — 4 advisory(ies): CVE-2020-7694 (Log injection in uvicorn); CVE-2020-7695 (HTTP response splitting in uvicorn); CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provided by the) +1 more

High
Category
Supply Chain
Confidence
87% confidence
Finding
uvicorn

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
pyyaml

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
requests

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
84% confidence
Finding
pydantic

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal