ClawHub

公众号爆款封面生成

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its cover-design purpose, but it uses unsafe HTTPS behavior and raw external URLs in ways users should review before installing.

Review before installing. Use it only if you are comfortable sending your topic keywords to onetotenvip.com and having the agent fetch third-party cover images. Avoid sensitive campaign topics, unreleased product names, or private strategy keywords until the publisher restores normal TLS verification, documents the external endpoint, validates URLs before embedding them in HTML, and clearly discloses local report creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions even though its documented behavior includes network access and generating HTML report files. This is dangerous because it hides effective capabilities from the host and users, preventing informed consent and weakening policy enforcement around data egress and file creation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is cover generation, but the behavior expands into external data collection, article ranking retrieval, metadata extraction, and custom TLS/socket handling to reach a specific third-party site without normal SNI behavior. That mismatch is dangerous because it conceals broader scraping and network capabilities, and the custom no-SNI access strongly suggests bypassing standard access controls or traffic scrutiny.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims all data must come from a designated interface, yet it also instructs direct retrieval of cover image URLs for per-image analysis. This widens outbound network behavior beyond the stated boundary and can cause unreviewed requests to arbitrary third-party hosts embedded in returned data, increasing SSRF-like and privacy risks.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to directly access many third-party cover image URLs for analysis, which creates outbound network requests to external resources without clear user consent or disclosure. This can leak usage metadata such as IP, timing, and query behavior to untrusted hosts, and at scale increases exposure to malicious or tracking endpoints.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code deliberately disables certificate validation and suppresses SNI while making HTTPS requests, which removes core TLS protections against man-in-the-middle interception and spoofed endpoints. In a skill context that sends user-supplied keywords to a remote service, this makes exfiltration, response tampering, and silent redirection materially easier.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function presents itself as performing HTTPS requests, but its implementation intentionally defeats normal HTTPS trust guarantees by disabling certificate and hostname verification and omitting SNI. This is dangerous because downstream code and reviewers may assume transport confidentiality and authenticity that are not actually being provided.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow requires writing an HTML file to the local filesystem but does not tell the user that local state will be modified. Undisclosed file creation can surprise users, overwrite existing files, or leave behind sensitive/generated artifacts in shared or persistent workspaces.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions require direct access to external cover image URLs without warning the user that third-party requests will occur. This creates a privacy and trust issue because remote hosts can observe request metadata, and malicious URLs may increase operational risk even if no code is executed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script transmits the user-provided keyword to an external domain without clear disclosure, consent, or meaningful explanation of where the data goes and under what security conditions. Because transport protections are already weakened elsewhere in the file, this privacy issue becomes more serious: sensitive keywords may be exposed to the remote operator or an active network attacker.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal