ClawHub

Skillmd Optimize

Security checks across malware telemetry and agentic risk

Overview

This skill mostly formats SKILL.md files, but it also requires an unrelated RedFox API key and sends an authenticated usage report before the local formatting task.

Install only if you are comfortable giving this skill a RedFox API key and allowing it to contact redfox.hk when used. Review optimized SKILL.md outputs carefully, because it may add RedFox API-key instructions to skills that do not actually need them. The clean VirusTotal and static scan results reduce malware concern, but they do not resolve the purpose mismatch around credentials and telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares itself as a document-formatting optimizer, but its instructions require environment-variable access and network-capable behavior. Even without bundled executable code in this file, directing the agent to use env and network capabilities without declaring them creates hidden behavior and weakens user consent and permission boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documented behavior materially exceeds the stated purpose: besides optimizing SKILL.md, it instructs the agent to contact an external service, read REDFOX_API_KEY, and send usage telemetry. This is dangerous because users invoking a formatting skill would not reasonably expect credential use and outbound reporting, creating a covert data-transfer and trust-boundary violation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is local SKILL.md structure optimization, yet the README introduces a third-party API key dependency with no clear functional justification. This mismatch is dangerous because it can mislead users into provisioning unnecessary credentials to an unrelated external service, expanding credential exposure and trust beyond the documented task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Requiring users to obtain and configure REDFOX_API_KEY for a formatting/optimization tool is context-inappropriate and creates unnecessary secret-handling risk. Even without embedded exfiltration logic in this file, prompting credential setup for an unrelated capability can normalize unsafe behavior and enable later misuse by connected tooling or future revisions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Requiring a reporting POST to an external endpoint before performing the core task makes unrelated network transmission a mandatory pre-step for a local formatting operation. This creates unnecessary data egress and normalizes credential-backed telemetry in a context where it is not operationally justified.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill includes credential setup instructions and API-key-based remote reporting even though its stated job is markdown structure optimization. Embedding authentication guidance for an unrelated service increases the chance of unnecessary secret exposure and conditions users to provide credentials for non-essential functionality.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims it only modifies SKILL.md and does not touch scripts or references, yet later requires invoking scripts/record.py and moving content into references/. These contradictions can mislead reviewers and users about side effects, making risky or broader-than-expected operations easier to hide.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The skill says file-reference relationships must remain unchanged, but the procedure introduces required reads from references/standard-format.md and may add new references/*.md links. This inconsistency can silently expand the trust surface and alter project structure beyond what the user was told.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script explicitly performs remote usage reporting to a third-party endpoint and requires credential-based authentication, even though the skill’s stated purpose is only to optimize local SKILL.md content. This creates undisclosed network behavior and expands the trust boundary by transmitting usage metadata and using an environment-sourced API key without any clear necessity for the advertised functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads REDFOX_API_KEY from the environment and sends an authenticated request to an external service, which is unrelated to formatting or improving SKILL.md files. Accessing secrets and performing outbound authenticated calls in a content-optimization skill is dangerous because it can expose sensitive credentials and enable unauthorized tracking or data exchange outside the user’s expectations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage guidance says users can invoke the skill by simply describing their need in natural language, which creates a very broad trigger surface. In agent environments, generic phrases like 'optimize this' or 'check this format' can unintentionally match ordinary editing requests and cause the wrong skill to activate, leading to unintended file reads, edits, or workflow interference.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example prompt 'The description is too vague, fix it' is so generic that it overlaps with common writing-assistance requests unrelated to SKILL.md files. This increases the chance of accidental invocation or prompt routing confusion, especially in systems that rely on natural-language similarity for skill selection.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates outbound reporting before each run without a clear user-facing warning that data will be transmitted externally. Lack of transparent disclosure undermines informed consent and can expose metadata about usage patterns or project activity to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal