ClawHub

PDCA+ISO9001质量管理

Security checks across malware telemetry and agentic risk

Overview

This quality-management skill mostly matches its stated purpose, but it needs review because saved rules can be evaluated as Python expressions and report output paths are not safely constrained.

Install only after reviewing or disabling the eval-based rule handling, and treat the knowledge base as persistent local storage. Use trusted project and rule inputs, avoid storing secrets or sensitive customer data, sanitize HTML report content, and restrict report filenames to safe basenames before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

eval() call detected

High
Category
Dangerous Code Execution
Content
for key, value in context.items():
                    condition = condition.replace(f"${key}", str(value))
                # 执行条件判断(简化实现)
                if eval(condition, {"__builtins__": {}}, {}):
                    rule['trigger_count'] += 1
                    matched_rules.append(rule)
                    # 更新触发次数
Confidence
99% confidence
Finding
if eval(condition, {"__builtins__": {}}, {}):

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises executable Python components and clear file read/write behavior, but the manifest does not declare corresponding permissions or data-access expectations. This weakens the trust boundary for users and hosting systems, because the skill can persist or access local data without explicit disclosure or policy gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose frames the skill as quality-management assistance, but the described implementation includes persistent storage, auto-learning, notification behavior, and especially rule evaluation using eval() against context data. That mismatch hides materially risky behaviors from users and operators, and eval-based rule execution can become code-injection or arbitrary command-execution if untrusted rule/context data is accepted.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real logic flaw: the code checks mandatory status with `self.CHECK_ITEMS.get(result.name, {})`, but `result.name` contains localized display names like `信息真实性校验` rather than internal keys like `information_authenticity`. As a result, mandatory failures are silently missed in `_assess_risk_level` and `_generate_summary`, causing underreported risk and weaker required-action/warning generation for decisions that should be treated as higher risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The rule-evaluation feature executes persisted rule conditions dynamically, which grants stored data control over program logic. That capability is unnecessary for basic quality-management matching and becomes more dangerous here because rules can be auto-extracted from project data and later executed without strong validation, enabling malicious or malformed rule expressions to alter behavior or exhaust resources.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The HTML conversion pipeline inserts report content directly into HTML without escaping untrusted fields such as project names, summaries, issues, and decision content. Because those values are attacker-controlled in many realistic workflows, a crafted value containing HTML or script-capable markup can become active content in the generated report, leading to stored XSS or malicious HTML execution when the report is viewed.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The function is described as a simple Markdown-to-HTML converter, but it does not remove or neutralize raw HTML already present in the markdown content. This mismatch is security-relevant because callers may assume the routine produces passive output, while embedded attacker HTML is preserved and rendered in the final report.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The save_report method joins a user-influenced filename directly with the reports directory and does not normalize or validate traversal sequences. An attacker can supply names like '../../some/target' or absolute-path variants to overwrite files outside the intended report directory, which can lead to arbitrary file write within the process permissions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly mentions automatic knowledge-base generation, archival, and experience extraction, but it does not warn that project content may be retained locally over time. This creates a confidentiality and privacy risk because sensitive decision context, reports, or operational history may be stored beyond the user's expectation and later reused or exposed.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal