ClawHub

Kuaishou Genius Actual

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed internal Kuaishou API debugging helper, but it asks users to reuse live corporate session cookies and probe financial/business APIs without enough safety limits or warnings.

Install or use this only if you are authorized by Kuaishou to debug this internal Genius system. Treat session cookies and command output as confidential, avoid --insecure, keep the base URL on the intended trusted corporate domain, and do not share captured payloads or API responses without review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client deliberately creates an SSL context that disables certificate validation and hostname checking when --insecure is used, enabling man-in-the-middle interception or tampering of authenticated API traffic. In this skill's context, the tool is explicitly designed to reuse session cookies against internal corporate endpoints, so disabling TLS protections materially increases the risk of credential theft, response manipulation, and exposure of sensitive business data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs operators to capture authenticated traffic and pass a live accessproxy_session cookie into probing scripts, but it provides no warning about credential handling, token leakage, or exposure of internal data. This creates a direct path to misuse of session material and increases the chance of unauthorized access or accidental credential disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script is explicitly designed to replay authenticated requests against an internal corporate service by accepting a raw session cookie and attaching it to multiple API calls. In the context of this skill, which promotes API probing, browser request capture, and auth/session reuse, the behavior materially enables credential reuse and authenticated enumeration of internal endpoints, increasing the risk of unauthorized access and session abuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI exposes a user-facing --insecure flag without a strong safety warning, even though it disables TLS protections for requests carrying session cookies. Because this skill is aimed at reverse-engineering and probing internal Kuaishou Genius APIs, the missing warning makes unsafe use more likely in exactly the sort of high-sensitivity environment where intercepted traffic could reveal internal data or active authenticated sessions.

Ssd 4

High
Confidence
99% confidence
Finding
The skill provides step-by-step guidance for reusing a live session, reconstructing internal API workflows, and performing scripted reachability checks against an internal corporate portal. In context, this materially enables post-auth enumeration and automation of internal endpoints, which can be used for unauthorized data access, lateral discovery, and bypass of intended UI-only controls.

Ssd 2

Medium
Confidence
95% confidence
Finding
The wording centers on reverse-engineering data flows, API mapping, payload reconstruction, auth/session reuse, and script-based probing of an internal portal. Even without explicit exploit language, these are classic operational steps for unauthorized internal API discovery and abuse, making the skill more dangerous in this enterprise-internal context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal