ClawHub

Rn Skills

Security checks across malware telemetry and agentic risk

Overview

The skill’s content-creation purpose is coherent, but its image helper script uses under-scoped shell execution, reads a shell profile for credentials, and can run hard-coded paid image generation outside the documented workflow.

Review before installing or running. Do not run generate_images.py as-is unless you accept fixed 24-image DashScope generation, shell-based command execution, reading ~/.zshrc for the key, and writes to hard-coded local paths. Safer use would require an explicit API key, user-selected topic/count/output directory, confirmation before paid API calls, and replacing shell curl/cp with native Python HTTP and file APIs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
  }}'
'''
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    return result.stdout

def get_task_status(task_id):
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = f'''curl -s "https://dashscope.aliyuncs.com/api/v1/tasks/{task_id}" \\
  -H "Authorization: Bearer {API_KEY}"
'''
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    return result.stdout

def download_image(url, output_path):
Confidence
90% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def download_image(url, output_path):
    cmd = f'curl -s "{url}" -o "{output_path}"'
    subprocess.run(cmd, shell=True)

print("=" * 60)
print("开始生成穿搭图片...")
Confidence
97% confidence
Finding
subprocess.run(cmd, shell=True)

Tainted flow: 'cmd' from os.environ.get (line 83, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
}}
  }}'
'''
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    return result.stdout

def get_task_status(task_id):
Confidence
86% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Tainted flow: 'cmd' from os.environ.get (line 83, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
cmd = f'''curl -s "https://dashscope.aliyuncs.com/api/v1/tasks/{task_id}" \\
  -H "Authorization: Bearer {API_KEY}"
'''
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    return result.stdout

def download_image(url, output_path):
Confidence
83% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes sensitive capabilities including environment-variable access, local file reads, and shell-based network calls, but does not declare them as permissions or warn the user. This undermines informed consent and creates a real risk of unintended secret exposure, filesystem access, and command execution beyond what a user would reasonably infer from the manifest.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill behavior goes beyond its stated purpose by accessing shell/environment state, reportedly reading ~/.zshrc for API credentials, and writing generated assets to a hardcoded local path. Accessing a user's shell profile can expose unrelated secrets, and hardcoded absolute-path writes can overwrite or place files in unexpected locations, making this a meaningful security and privacy issue.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads the user's ~/.zshrc to extract an API key if the environment variable is absent. That is broader local file access than required for image generation and silently harvests credentials from a shell initialization file that may contain unrelated sensitive data.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
The skill uses shell command execution for network access and file operations even though its stated purpose is content/image generation. This grants unnecessary command execution capability, making any interpolation bug far more dangerous and enabling local system impact beyond the intended function.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends prompts and potentially user-influenced topic/material data to an external image-generation service without clearly disclosing that transmission in the description or warning the user. This can expose sensitive business ideas, private prompts, or proprietary source material to a third-party API, especially in a workflow that automatically collects and repackages content.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal