ClawHub

Coze

Security checks across malware telemetry and agentic risk

Overview

This skill is a Coze bot-building guide with an expected external API example, not an executable package or hidden automation.

Reasonable to install as a Coze helper. Before adapting the examples, store real tokens in environment variables or a secrets manager, avoid sending secrets or regulated personal data unless approved, and review Coze data residency, retention, knowledge-base uploads, HTTP nodes, custom plugins, and publishing channels before connecting production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly recommends HTTP requests and API integration but does not warn that prompts, identifiers, retrieved knowledge, or other conversation data may be transmitted to third-party services. In an agent-skill context, this omission can cause users or downstream agents to send sensitive data externally without informed consent or data-handling constraints.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The sample API call includes a bearer token, user_id, bot_id, and user message content sent to an external Coze endpoint, yet the skill gives no warning that these fields leave the local environment. This is dangerous because users may copy the example into automation unchanged and unknowingly expose personal data, internal prompts, or production tokens to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

# 调用已发布的 Bot
response = requests.post(
    "https://api.coze.cn/v3/chat",
    headers={
        "Authorization": "Bearer pat_xxx",
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

# 调用已发布的 Bot
response = requests.post(
    "https://api.coze.cn/v3/chat",
    headers={
        "Authorization": "Bearer pat_xxx",
Confidence
90% confidence
Finding
requests.post( "https://api.coze.cn/v3/chat", headers={ "Authorization": "Bearer pat_xxx", "Content-Type": "application/json" }, json=

External Transmission

Medium
Category
Data Exfiltration
Content
# 调用已发布的 Bot
response = requests.post(
    "https://api.coze.cn/v3/chat",
    headers={
        "Authorization": "Bearer pat_xxx",
        "Content-Type": "application/json"
Confidence
89% confidence
Finding
https://api.coze.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal