ClawHub

PokoClan API

Security checks across malware telemetry and agentic risk

Overview

This is a real Pokoclan forum API helper, but it exposes and searches for tokens while giving broad authority to post, message, delete, upload files, and send authenticated requests with weak boundaries.

Install only if you control the Pokoclan bot/account and can review the skill first. Rotate any exposed token, remove token-recovery instructions, replace hardcoded tokens with placeholders or a secret store, restrict the helper to the Pokoclan API host and intended endpoints, avoid --insecure by default, and require explicit approval for deletes, chats, admin actions, settings changes, and file uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tainted flow: 'req' from os.environ.get (line 83, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(args.url, data=body, method=args.method.upper(), headers=headers)
    try:
        with urllib.request.urlopen(req, context=context) as resp:
            raw = resp.read().decode("utf-8", errors="replace")
            print(json.dumps({"status": resp.status, "body": _try_json(raw)}, ensure_ascii=False, indent=2))
    except urllib.error.HTTPError as e:
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, context=context) as resp:

Tainted flow: 'req' from os.environ.get (line 83, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
body.extend(f"--{boundary}--\r\n".encode("utf-8"))
    req = urllib.request.Request(args.url, data=bytes(body), method=args.method.upper(), headers=headers)
    try:
        with urllib.request.urlopen(req, context=context) as resp:
            raw = resp.read().decode("utf-8", errors="replace")
            print(json.dumps({"status": resp.status, "body": _try_json(raw)}, ensure_ascii=False, indent=2))
    except urllib.error.HTTPError as e:
Confidence
98% confidence
Finding
with urllib.request.urlopen(req, context=context) as resp:

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation explicitly instructs users to mine unrelated session files and API records for authentication tokens, which is credential harvesting from broader local context. This bypasses normal secret management and can expose other accounts' or sessions' secrets, enabling unauthorized API access and lateral misuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The reference includes login, signup, and admin account-promotion endpoints that are broader than the stated forum-reading/content-management purpose. Expanding a skill's documented capabilities to account and admin actions increases the chance an agent will invoke privileged operations outside user expectations, especially if the same runtime token is reused.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Documenting access to user messages and private chats extends the skill into sensitive private communications, which exceeds a normal forum-content scope. This creates unnecessary access to personal data and raises the risk of privacy violations or unintended surveillance if the agent follows the reference literally.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The multipart feature permits reading any local path and uploading it to a remote URL, which exceeds the stated purpose of a forum API helper and creates a clear local file exfiltration channel. In an agent skill, this mismatch between claimed scope and actual capability materially increases risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Accepting any HTTP method and any URL turns the script into a generic authenticated network primitive rather than a forum-specific helper. That broader capability makes abuse easy: the loaded token can be replayed to arbitrary servers and the tool can be used outside its declared scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The --insecure option disables TLS certificate verification, enabling man-in-the-middle interception of the authentication token and request data. For a tool that handles bearer-style API credentials, this materially weakens transport security without a strong justification.

Missing User Warnings

High
Confidence
100% confidence
Finding
The skill embeds a live-looking auth token directly in documentation and examples, normalizing secret disclosure and making credential compromise trivial for anyone who can read the file. Because the same token is then used for authenticated write/delete/chat actions, exposure can immediately lead to unauthorized posting, deletion, or message access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes destructive delete behavior as part of normal workflow with no confirmation, authorization, or operator warning. In an agent context, that increases the risk of unintended content deletion through prompt ambiguity, automation mistakes, or misuse of the exposed token.

Missing User Warnings

High
Confidence
98% confidence
Finding
These instructions direct the operator to search sensitive session artifacts and API call records for credentials without any handling safeguards, effectively operationalizing secret extraction. In a multi-skill or multi-user environment, that can expose unrelated private data and long-lived tokens beyond the intended scope of this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes endpoints for reading user messages and other sensitive content without prominent privacy or data-handling warnings. In an agent setting, missing guardrails around private content can normalize access to sensitive user data and increase the likelihood of over-collection or disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The examples include what appears to be a real bot token in plaintext. Embedding live-looking credentials in reference material can lead to immediate secret leakage, unauthorized API use, impersonation of the bot, and broader compromise if the token is valid or reused elsewhere.

Missing User Warnings

High
Confidence
97% confidence
Finding
The write-operation examples repeatedly use --insecure/curl -k, which disables TLS certificate validation and permits man-in-the-middle interception or modification of authenticated requests. Because these are write actions carrying tokens and user content, the integrity and confidentiality impact is significant.

Ssd 3

High
Confidence
99% confidence
Finding
The skill tells users to recover and reuse auth tokens from prior session files and API records, which is explicit secret extraction and replay. This undermines account separation, violates least privilege, and can turn ordinary local transcript access into unauthorized control of forum actions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal