ClawHub

Clean Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it needs review because it mixes mock recommendations with real-looking validation and can reuse saved logged-in browser sessions for scraping.

Install only if you are comfortable with logged-in scraping of Dianping and Xiaohongshu. Treat default output as potentially simulated unless you explicitly run the real scraper, use isolated accounts if possible, inspect and clean the sessions directory, and review platform terms before using proxies or persistent cookies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates capabilities for network access, local file interaction, and likely session/state persistence, yet no explicit permissions are declared. This creates a transparency and consent gap: operators may invoke a skill that performs scraping, stores artifacts, or reads local state without a clear permission boundary, increasing the risk of unintended data access or credential/session exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose suggests simple recommendation cross-checking, but the described behavior expands into authenticated scraping, persistent browser contexts, disk-backed session management, and even mock/default data paths. That mismatch is dangerous because users and reviewers cannot accurately assess what data is collected, whether credentials are handled, or whether outputs are real versus simulated, leading to trust, privacy, and integrity failures.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is a true integrity vulnerability: the skill advertises automatic cross-platform validation using Xiaohongshu data, but this code fabricates simulated posts and presents them through the normal fetch path. In a recommendation or trust-scoring workflow, this can mislead downstream agents and users into believing restaurant quality has been verified when no real platform evidence was collected.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file-level documentation and class descriptions state that it fetches Xiaohongshu restaurant data, but the implementation only generates mock data. This mismatch is security-relevant because it creates deceptive system behavior and can cause consumers of the skill to rely on non-existent validation, though it is somewhat duplicative of the more concrete issue in SDI-1.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs use of authentication cookies and residential proxies without warning users about credential theft risk, account bans, privacy implications, or sensitive session handling. In a scraping context, cookie-based access and proxy rotation materially increase the chance of mishandling authenticated sessions or encouraging unsafe operator behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown describes collecting data from third-party platforms through scraping but does not clearly warn users that network requests will be made, what data will be retrieved, or what legal/privacy/account consequences may follow. This lack of disclosure is a security-relevant transparency issue, especially when the skill may interact with authenticated content and anti-bot controls.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The scraper launches a persistent Playwright context using a stored session directory and refreshes that session automatically, which means cookies and authenticated state may be silently reused. In an agent skill context, this can expose private account context, perform scraping under a user's logged-in identity, and increase the risk of unintended data access or account misuse without explicit consent or visibility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal