ClawHub

测试测试测试

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud storage skill is mostly transparent, but it gives an agent broad cloud authority including deletion, credential persistence, bucket changes, indexing, and arbitrary CI API calls without strong built-in guardrails.

Install only if you intend to let an agent manage Tencent Cloud COS/CI resources. Use a dedicated least-privilege sub-account or short-lived STS credentials restricted to specific buckets and needed CI actions. Avoid broad COS/CI full-control keys, review every delete, bulk delete, bucket config, signed URL, dataset binding, and ci-request operation before execution, and avoid persisting credentials unless you accept local secret-storage risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill advertises that credentials are not written to disk by default, yet elsewhere actively recommends persistence to `.env` and encrypted `.env.enc`. Inconsistent security messaging can cause users to overtrust the workflow and provide highly sensitive cloud credentials under a false assumption of non-persistence.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented `ci-request` capability is a generic escape hatch that allows callers to specify arbitrary CI API paths, methods, query parameters, and bodies, which substantially exceeds the narrowly described skill actions. In an agent context, this can enable unintended access to sensitive or destructive cloud operations, data exfiltration, moderation bypass attempts, or invocation of APIs the skill author did not explicitly constrain or review.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script explicitly claims bucket deletion and emptying are forbidden, but still exposes object deletion and bulk deletion operations that can be used to effectively empty a bucket. In an agent skill context, that mismatch is dangerous because higher-level safety logic or users may rely on the stated guardrails while the code still permits destructive data loss.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generic `ci-request` entrypoint allows callers to invoke arbitrary CI API paths and methods, bypassing the curated action list and any action-specific validation the script otherwise applies. In a tool/agent setting, this becomes a capability expansion primitive that can enable unreviewed operations against cloud resources using the skill's credentials.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include broad everyday intents such as '把文件传到云上', '生成下载链接', and '帮我建个知识库', which can activate this high-privilege cloud skill in ambiguous contexts. Overbroad invocation increases the risk of accidental credential requests, unintended cloud operations, or routing unrelated user tasks into a capability that can modify local and remote state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents high-impact actions including uploads, deletions, credential persistence, and arbitrary `ci-request` API access, but does not impose a consistent confirmation gate for destructive, billable, or privacy-sensitive operations. Without explicit approvals, the agent could perform irreversible or costly actions based on ambiguous user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference documents actions that upload, download, delete, transform, and submit content to remote cloud services without any warning, consent, or confirmation guidance. In an agent-driven workflow, this increases the chance of accidental destructive actions, unauthorized sharing, or silent transmission of sensitive local/user data to Tencent Cloud services.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The MetaInsight section instructs users to configure `TENCENT_COS_DATASET_NAME` and use image/text search features, but does not explain that indexed datasets and search queries may contain sensitive or personal information. This omission can lead to privacy-impacting use of cloud retrieval features without informed consent or appropriate data classification controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Single-object deletion executes immediately once invoked and provides no execution-time warning, dry-run, or confirmation barrier. In an agent-driven environment, accidental prompt interpretation or misuse can cause irreversible object deletion with the user's cloud credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
Bulk deletion can remove many objects in one call and lacks any execution-time warning, preview, confirmation, or scope restriction. Because this skill is designed for natural-language triggering, an error or malicious prompt could rapidly wipe large portions of stored data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`decrypt-env` writes decrypted credentials back to a plaintext `.env` file on disk without a strong warning or friction at execution time. That increases the chance of accidental secret exposure through local compromise, backups, editor history, or subsequent unsafe handling by users and other tools.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal