ClawHub

钢材货源查询

Security checks across malware telemetry and agentic risk

Overview

This steel-trading skill is mostly purpose-aligned, but it exposes and uses shared business data channels without enough scoping, consent, or revocation guidance.

Install only if you are comfortable with this skill handling business inventory, buyer demand, and contact information. Before using shared Feishu publishing or cron pushes, confirm who can access the target table, remove or replace the hard-coded table identifiers, require explicit confirmation before publishing contact details, and define how local JSON data and uploaded Excel files will be deleted or protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The document exposes a fixed Feishu App Token and table ID directly in the skill. Hardcoded external service credentials/resource identifiers can enable unauthorized access, abuse of shared resources, data scraping, or malicious record creation if the document is exposed beyond its intended audience.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill openly documents direct management operations against a real external collaboration resource, including listing and batch creation on a specific Feishu table. Publishing live resource identifiers and management workflows lowers the barrier for misuse and widens the operational attack surface beyond what is necessary for end-user documentation.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The `my` command is labeled as showing '我的库存', but it calls `get_by_supplier()`, which in turn uses `search()` with the default `status="在售"`. This means users may wrongly believe they are seeing their full inventory while sold or delisted records are omitted, creating an integrity and authorization-boundary issue in a B2B trading context where inventory visibility affects business decisions and auditability.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Overly broad trigger phrases can cause unintended invocation in unrelated conversations, which is risky because this skill can perform file operations, networked queries, and external publishing workflows. Accidental activation increases the chance of unnecessary data access, confusing behavior, or undesired side effects.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Several patterns such as generic pricing, list, data-source, and spec phrases are insufficiently tied to the steel domain. In a skill that supports uploads, scheduled pushes, and inventory publication, ambiguous triggers materially increase unintended execution and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to upload Excel inventory files and save them to a temporary directory without disclosing retention, access controls, validation, or cleanup. Uploaded spreadsheets may contain sensitive business and personal data, and poor handling can lead to privacy leaks or malicious-file processing risks.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill publishes supplier contact details, including names and phone numbers, to a shared platform without any privacy warning, consent flow, or minimization controls. This creates a clear risk of unauthorized disclosure of personal/business contact data and possible regulatory noncompliance.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documented daily push behavior introduces ongoing outbound actions and persistent scheduling via cron, but the skill provides no warning about recurring notifications, system changes, or how to revoke them. This can surprise users and create persistent behavior beyond the immediate session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script hard-codes Feishu Bitable identifiers and returns them via get_config(), which exposes the backing external data source to any caller of the skill. In this B2B trading context, those identifiers can facilitate unauthorized enumeration of the table, misuse of connected tooling, and unintended access patterns against inventory and supplier data even if additional auth may still be required elsewhere.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists purchase request records to a local JSON file, including inferred buyer identity, delivery address, budget, quantity, and timestamps, without any visible consent notice, retention policy, or access controls. In a B2B trading context, this is commercially sensitive business data, and silent persistence increases privacy, confidentiality, and compliance risk if the host is shared or the file is later exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal