ClawHub
Back to skill

Security audit

Leewow Custom Gifts

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real custom-gift preview skill, but it needs review because it sends images to external services and has overbroad local configuration, URL-signing, and shell-command surfaces.

Review before installing. Use only images you are comfortable sending to Leewow/Tencent COS, provide a narrowly scoped Leewow key, avoid sensitive files in the workspace, and avoid untrusted tool inputs until command templating, environment loading, endpoint allowlisting, and COS presigning are constrained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Tainted flow: 'url' from os.getenv (line 25, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
return _sts_cache

    url = LEEWOW_API_BASE + STS_ENDPOINT
    resp = requests.get(url, timeout=15)
    resp.raise_for_status()
    data = resp.json()
    if not data.get("tmpSecretId"):
Confidence
88% confidence
Finding
resp = requests.get(url, timeout=15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes use of environment variables, local workspace file access, and outbound network/API operations, but it does not declare permissions accordingly. Hidden or undeclared capabilities reduce auditability and informed consent, making it harder for the platform or user to understand what data the skill can access and where it can send it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims a relatively narrow product-preview workflow, but the documented behavior expands into image upload to cloud storage, STS credential retrieval, HMAC-signed URL generation, and a generic presigning utility for arbitrary COS objects. That mismatch can hide materially broader data exfiltration and token-signing capabilities than users expect, increasing the risk of misuse of uploaded content or storage access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads arbitrary key/value pairs from ~/.openclaw/.env and injects them into process environment variables without any user disclosure or strict scoping. For a browsing skill, reaching into a local secrets/config file is broader than necessary and can silently consume sensitive local configuration, expanding the skill's access to host-side data and endpoints.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script implicitly loads secrets from ~/.openclaw/.env, which expands the trust boundary from process environment to a user-local file without validation or user awareness. In an agent setting, this can cause unintended credential use, environment confusion, or use of stale/poisoned secrets if that file is modified by another local process or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest exposes a general-purpose COS presigning capability that is not described in the skill metadata and is broader than needed for the custom-gift workflow. If the backing script signs arbitrary attacker-supplied COS URLs, the agent can be turned into a URL-signing proxy for private object access, bypassing intended access controls for Tencent COS resources reachable with the skill's credentials.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
A generic object-storage URL signer is unjustified in a skill whose stated purpose is browsing templates and generating product previews. This mismatch increases the chance the tool can be abused for unrelated data access, especially because presigned URLs can grant temporary read access to otherwise private objects without additional authentication.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation guidance is broad enough to match ordinary conversation such as 'gift ideas' or 'show me what I can customize,' which can cause the skill to activate unexpectedly. In this skill, unintended activation matters because it can lead to network calls, image handling, and local file downloads without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The top-level description does not clearly warn that user-uploaded images and generated previews are stored in the local workspace. Because images may contain sensitive personal content, silent local retention increases privacy and data-handling risk, especially on shared or persisted workspaces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently loads credentials such as CLAW_SK from a local env file, giving the skill access to secrets without an explicit user-facing warning or consent boundary. In a third-party skill context this is risky because users may not realize the skill can harvest locally stored authentication material to call external services or altered endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function downloads remote coverImage content and writes it into the local workspace automatically, based entirely on server-provided URLs, with no user warning or origin restrictions. In this skill's context, local image caching is functionally relevant, but it still creates a trust boundary issue: remote services can trigger local file writes and potentially induce SSRF-like requests to attacker-controlled URLs if the API response is manipulated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code uploads arbitrary local files to cloud storage and returns a public URL, but the skill description only notes automatic download behavior and does not provide clear disclosure or consent around outbound uploads. In a skill that handles user images, silent cloud upload increases privacy and data-handling risk, especially if users or operators assume files stay local to the workspace.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill uploads a user-supplied image to external COS storage and then sends its URL to a third-party generation API, but this code contains no disclosure, consent check, or policy guard at the point of transmission. Because images may contain sensitive personal or proprietary content, silent exfiltration to external services is a real privacy and data-handling risk in this skill context.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal