ClawHub

新环境测试

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Tencent Cloud COS integration, but it grants broad cloud-data authority and lacks enough guardrails for destructive or generic API actions.

Install only if you intend to let the agent operate Tencent Cloud COS/CI on your behalf. Use STS or a dedicated sub-account with the narrowest bucket-level permissions, avoid root or broad permanent keys, prefer ephemeral environment variables, and do not use delete, bulk delete, ACL/CORS changes, signed URL generation, or ci-request unless you have reviewed the exact target and effect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill's security messaging is internally inconsistent: it claims credentials are not written to disk by default, but the setup flow explicitly supports persisting them to `.env` and `.env.enc`. Even if persistence is optional, contradictory assurances can mislead users into disclosing high-value cloud credentials under a false sense of safety.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes local secret-file management plus encryption/decryption commands (`encrypt-env`, `decrypt-env`) beyond the core COS/CI integration purpose. Expanding scope into credential lifecycle management increases attack surface and normalizes handling raw secrets in local files, especially because decryption restores plaintext secrets on disk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented `ci-request` action is a generic arbitrary API invocation primitive that bypasses the narrower, task-specific actions exposed elsewhere in the skill. In an agent setting, this materially expands capability scope and can enable unreviewed operations against CI endpoints, including sensitive moderation, file-processing, or other side-effecting requests, making misuse or prompt-induced abuse more likely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generic `ci-request` action allows callers to hit arbitrary CI API paths with arbitrary methods, which expands the skill beyond its declared and reviewable capability set. In an agent setting, this becomes a confused-deputy primitive: a prompt can drive the skill to invoke sensitive or destructive Tencent CI operations that were never explicitly modeled or safety-reviewed.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are extremely broad, including generic intents like 'put files in the cloud', 'generate download link', and 'help me build a knowledge base'. Overbroad activation can cause the skill to engage in high-impact cloud operations unexpectedly, including credential solicitation, uploads, deletions, and arbitrary API calls when the user did not specifically intend Tencent COS actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive and high-impact capabilities—upload, download, delete, batch delete, bucket ACL/CORS changes, and arbitrary `ci-request` calls—without a unified warning/consent model. In practice, this can lead to accidental data loss, unauthorized exposure, or policy changes if the agent executes impactful commands based on natural-language prompts without explicit user acknowledgment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes upload, download, and delete operations that can modify cloud or local data, but it does not require confirmation or warn about overwrite, deletion, or local file write risks. In an autonomous or semi-autonomous agent workflow, this can lead to accidental destructive actions or unintended data movement based on ambiguous user prompts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference describes many operations that send files, text, metadata, or request bodies to Tencent Cloud services, but it does not disclose the privacy and data-transfer implications to users. This is risky because users or downstream agents may submit sensitive content to remote processing endpoints without understanding retention, exposure, compliance, or third-party handling concerns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Single-object deletion executes immediately with no warning, dry-run, or confirmation barrier. In an agent workflow, prompt injection or user misunderstanding could cause irreversible remote data loss because the skill directly deletes cloud objects using stored credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Bulk deletion is more dangerous than single-item deletion because a single request can remove many remote objects with no confirmation, preview, or limit checks. In an agent context, malformed input or adversarial prompting could trigger mass data loss across a bucket prefix or a large supplied key list.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`decrypt-env` restores secrets to plaintext `.env` on disk, increasing exposure to local compromise, accidental commits, backup leakage, or subsequent tool access. The issue is amplified in agent environments because a helper action can downgrade secret storage protections without an explicit warning or necessity check.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal