ClawHub

围棋云比赛网查询

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only Go tournament lookup tool that queries Yunbisai public data and may generate local HTML reports.

Install if you are comfortable with the skill querying Yunbisai public APIs, installing `requests`, and writing generated HTML reports to `/tmp`. Review JSON output before sharing it because public event records may include organizer contact details along with player and match data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill performs network access to third-party APIs and writes HTML output files, yet no permissions are declared. This creates a capability/transparency mismatch: hosts or users may authorize the skill assuming it is low-risk while it can exfiltrate queried data externally and persist generated content to disk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation claims the skill only reads public match, group, and result data, but later API field references include organizer contact information such as contact/linkMan. Even if publicly exposed by the source site, surfacing contact details broadens the data handling scope and can mislead users about what personal data may be retrieved or redistributed.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill asserts that all API-derived data is escaped before generating HTML reports, but the provided guidance and code do not demonstrate any escaping or sanitization. Because player names, event titles, team names, and similar values come from external APIs and are inserted into HTML reports, missing escaping can lead to stored or reflected HTML/JavaScript injection when the report is opened.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal