ClawHub

公众号原创文章推荐

Security checks across malware telemetry and agentic risk

Overview

The skill’s article-recommendation purpose is coherent, but it needs Review because it sends the required API key while disabling HTTPS certificate checks.

Install only if you trust the RedFox service and are comfortable providing a REDFOX_API_KEY, but treat this version as needing review or remediation first: TLS verification should be restored before use, generated HTML should escape remote article data, and subscription behavior should clearly require opt-in and provide an unsubscribe path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tainted flow: 'req' from os.getenv (line 126, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
ssl_ctx.verify_mode = ssl.CERT_NONE

    try:
        with urllib.request.urlopen(req, context=ssl_ctx, timeout=timeout) as resp:
            result = json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        raise Exception(f"HTTP请求失败: {e.code}, {e.read().decode('utf-8', errors='replace')}")
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, context=ssl_ctx, timeout=timeout) as resp:

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The helper documentation explicitly states verify=False, matching code that disables TLS verification. Presenting this as routine API access normalizes an insecure transport configuration that can expose API credentials and allow attackers to tamper with fetched content.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill explicitly invites activation from plain-language input with 'no fixed commands to memorize,' which makes invocation boundaries ambiguous and increases the chance the skill is triggered by ordinary user requests that merely resemble its examples. In an agent environment, overly broad triggers can cause unintended data retrieval, unexpected external API use, and user confusion about why this skill activated instead of a more appropriate one.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The example trigger phrase 'viral recommendations' is highly generic and overlaps with common everyday requests about content suggestions, marketing ideas, or trending posts unrelated to this skill. That broad overlap increases accidental activation risk, which can route user requests to the wrong tool and unnecessarily expose or consume external service access tied to the configured API key.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README states users can invoke the skill with unrestricted natural language, which makes the trigger surface very broad and increases the chance of accidental invocation during ordinary conversation. In an agent environment, overly generic activation language can cause the skill to run when the user did not intend to access this data source, leading to confusing behavior, privacy issues around unintended requests, or misuse of the configured API-backed capability.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example phrases include very generic expressions like '最新有什么原创热门' and similar everyday wording, which may overlap with normal conversation unrelated to this specific skill. That overlap raises the risk of false activation and unintended external API usage, especially because the skill is connected to a third-party service via an API key and may generate outputs or subscriptions from casual phrasing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include very common expressions such as “最近” and “最新,” which are broad enough to match many unrelated conversations. Overbroad activation can cause the skill to run unexpectedly, producing unsolicited network calls or content retrieval outside the user's clear intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is designed to proactively ask users whether to push the latest articles immediately after loading, without establishing whether the user intended to use this capability. This increases the chance of non-consensual activation and can funnel users into network retrieval or subscription flows they did not request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the skill will generate an HTML report and automatically open it, but it does not warn the user about local file creation or launching rendered content. Automatic file generation/opening can surprise users, create unwanted artifacts, and increase risk if rendered content contains unsafe external resources or script behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises daily scheduled subscription pushes but does not clearly explain the persistence of that behavior, how consent is recorded, or how users can stop it. Ongoing notifications or scheduled actions without explicit lifecycle controls can lead to unwanted repeated interactions and user confusion.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script transmits request data and the X-API-KEY credential to a remote endpoint while disabling TLS certificate verification and hostname validation. This enables active network attackers to intercept the secret, impersonate the API endpoint, or inject manipulated article data into the skill's output.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal