ClawHub

伐谋 - 实验管理

Security checks across malware telemetry and agentic risk

Overview

This skill fits its experiment-management purpose, but it needs review because it can store an API key locally and delete or resubmit experiments without clear confirmation safeguards.

Install only if you trust the FaMou SDK and are comfortable storing a FaMou API key at `~/.famou-ctl/settings.json`. Use a limited-scope key, run the SDK in an isolated environment, and require the agent to ask before installing packages, overwriting credentials, editing experiment files, canceling, deleting, or resubmitting experiments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs file-writing behavior by instructing execution of `scripts/config.py write <YOUR_API_KEY>`, which modifies local configuration, but it declares no permissions. This creates a hidden capability boundary: an agent or reviewer may assume the skill is read-only/task-management only, while it can persist secrets and alter local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is experiment management, but the workflow also reads and writes local credential/config state, including API key handling. That mismatch is dangerous because users may consent to routine experiment operations without realizing the skill can access and persist secrets in `~/.famou-ctl/settings.json`, increasing risk of credential exposure or unauthorized reconfiguration.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger logic is overly broad, explicitly activating even on generic phrases like '提交' or '跑实验' when context loosely involves the platform. This increases the chance of unintended invocation of a skill that can install packages, read configs, write API settings, submit jobs, and perform destructive operations, which expands the attack surface for prompt injection or accidental execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises destructive capabilities such as deleting and canceling experiments but provides no mandatory confirmation or warning flow. In this context, that is particularly risky because broad trigger conditions may activate the skill unintentionally, allowing irreversible loss of experiment state or results through accidental or manipulated requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code writes the API key in plaintext to ~/.famou-ctl/settings.json without setting restrictive file permissions or warning users that credentials are being stored locally. On multi-user systems, shared environments, backups, or developer workstations with weak home-directory protections, this can expose long-lived credentials and enable unauthorized access to the famou service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal