ClawHub

伐木累分析大师

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent chat-to-persona purpose, but it handles sensitive chats with under-scoped cloud processing, bundled private-looking data, and embedded Kimi API credentials.

Review carefully before installing. Do not run this on private chats unless all participants have consented and you are comfortable with external LLM processing. Remove the bundled raw chat and output files, delete and rotate the embedded Kimi key, fix the runner so it processes only the user-selected file, and add explicit privacy, retention, and deletion controls before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes Python scripts, reads user-supplied chat exports, writes multiple output files, accesses environment variables for API keys, and explicitly calls external LLM APIs, yet it declares no permissions. That mismatch undermines review and consent because users and orchestrators cannot accurately understand that the skill performs shell execution, file I/O, env access, and network exfiltration of sensitive chat data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as local chat-to-persona analysis, but the observed behavior includes sending private conversations to third-party LLM providers and references additional external endpoints and hardcoded API keys in the broader codebase. For a skill processing intimate family conversations, failing to clearly disclose off-device transmission and third-party processing is a serious privacy and trust violation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file explicitly states it uses Anthropic's Batches API to process all conversation chunks, which means private family chat content is transmitted to an external third-party service. In the context of a skill marketed around analyzing sensitive household chat logs into durable digital personas, undisclosed off-device transfer materially increases privacy, consent, and data-governance risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code initializes an Anthropic client with an API key, builds prompts from raw chat chunks, submits them in batch, polls for completion, and caches returned content, confirming active third-party processing of family conversations. Because the skill's purpose involves extracting 'digital personas' from intimate group chats, the combination of sensitive source material and remote inference makes unauthorized disclosure or unexpected retention significantly more harmful.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This code initializes an external Kimi/OpenClaw client and performs a live connectivity test, confirming the pipeline depends on a third-party API rather than remaining purely local. In the context of a skill designed to process private family chat logs into personas, undisclosed external processing materially increases privacy risk because sensitive relationship, behavioral, and identity data may leave the user’s environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hard-coded API key is embedded directly in source, which is a credential exposure vulnerability and also enables immediate third-party access without user configuration. Because this skill handles intimate family chat records, bundling a working external-service credential lowers friction for silent exfiltration of sensitive content and risks key abuse by anyone who obtains the code.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code sends family chat content to a third-party Kimi API for analysis, which is a privacy-relevant data transfer involving highly sensitive interpersonal content. In the context of a skill designed to extract family personas, the undisclosed external transmission is especially dangerous because users may reasonably expect local processing and may not realize intimate chat history is leaving their environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script sends family group chat content to a third-party LLM service for analysis, but the skill description does not clearly disclose this external transmission. Because the data is highly sensitive interpersonal content, undisclosed export materially increases privacy, consent, and compliance risk.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
A hardcoded API credential is embedded directly in source code, which exposes the secret to anyone with repository or package access and enables unauthorized use of the external service. This can lead to account abuse, billing fraud, and loss of control over data access tied to that credential.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code transmits highly sensitive family-chat-derived observations and persona synthesis prompts to Anthropic's external API for processing. In this skill's context, the data concerns private household communications and inferred psychological profiles, so undisclosed third-party transfer materially increases privacy, consent, and data-handling risk beyond a local-only analysis expectation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Update mode can silently broaden collection scope by merging social-media Moments and image observations into the same synthesis pipeline. That scope expansion is especially sensitive here because the skill is marketed around family chat analysis, yet it can ingest additional personal data sources that may contain unrelated, intimate, or bystander information.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script transmits family/group-chat-derived observations to a third-party remote LLM endpoint, which is highly sensitive personal data. The skill description emphasizes persona extraction from chat records but does not disclose external processing, so users could reasonably believe analysis is local when it is not.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hard-coded API credential is embedded directly in source code alongside a third-party endpoint. This exposes the secret to anyone with repository or package access and enables unauthorized use of the external service, while also creating an unnecessary covert exfiltration path for sensitive chat-derived data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes ingesting family group chat exports and generating durable persona profiles, which involves highly sensitive personal and relational data. Failing to warn about privacy risks, consent requirements, retention, and downstream misuse increases the chance that users process intimate third-party data without adequate safeguards.

Missing User Warnings

High
Confidence
97% confidence
Finding
Requiring an ANTHROPIC_API_KEY strongly implies chat content will be sent to a third-party model provider, yet the README does not disclose external transmission of private family communications. This can lead users to unknowingly upload sensitive conversations, including data about minors, health, finances, and relationships, to an external service with separate retention and policy implications.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad enough to overlap with ordinary requests like analyzing chat logs or generating persona-related outputs, which can cause accidental invocation. In this skill, misfires are more dangerous than usual because the workflow may launch a pipeline that processes sensitive family data and prepares it for external API submission.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill is centered on private family chat histories, yet the instructions do not prominently warn that the contents may be transmitted to external LLM services for analysis. Because the material can contain sensitive interpersonal, health, financial, and child-related information, omission of a clear privacy warning defeats informed consent and materially increases the risk of harmful disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends raw conversation-derived prompt content to Moonshot's external API, and the skill's purpose is specifically to process family/group chat logs into personality profiles. In this context, the transmitted data is highly sensitive and can include private messages, relationships, and inferred traits, yet the code provides no explicit consent flow, warning, redaction step, or privacy safeguard before exfiltration.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code sends each prompt, which includes chunked family chat text, directly to the external Kimi API with no consent gate, warning, redaction, or disclosure. This is particularly dangerous here because the input consists of highly sensitive interpersonal conversations used to infer digital personas, amplifying privacy harm if disclosed, retained, or misused by the remote provider.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live API credential is hardcoded directly in source code, making it trivially recoverable by anyone with repository, package, or log access. Exposed credentials can be abused to consume paid API resources, impersonate the project, access associated data flows, and expand the blast radius of any downstream compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code transmits raw conversation text to an external API without any explicit user warning, consent gate, or indication of what data leaves the system. Because the processed material is family chat history used for persona extraction, the data is likely to contain sensitive personal details, making silent upload a significant privacy and compliance risk.

Missing User Warnings

High
Confidence
100% confidence
Finding
The hardcoded API key is used without any user disclosure or secure handling controls. In a skill processing private family conversations, embedding a live credential amplifies the risk of unauthorized service access and silent data processing outside user awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code transmits chat content in prompts to an external API without explicit user-facing notice or consent. Since the skill is built around family chat logs, the context makes this especially sensitive because messages may contain personal, relational, and potentially regulated information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code constructs an Anthropic client and streams prompts containing observation data and derived family/persona content to an external service without any visible user warning in this file. Because the skill processes family communications into durable psychological/personality artifacts, undisclosed remote processing creates substantial confidentiality and informed-consent risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The network call sends aggregated behavioral observations to the remote model without any user-facing warning, consent prompt, or privacy disclosure. Because the input is derived from family/group chats, silent transmission materially increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal