ClawHub
Back to skill

Security audit

太湖云水务知识库

Security checks across malware telemetry and agentic risk

Overview

This water-equipment assistant is mostly coherent, but it sends user-derived queries to external services and keeps broad raw logs and mutable knowledge-base files without enough user control.

Review before installing. Use this only if third-party Tavily and DashScope/OpenAI-compatible processing is acceptable, avoid entering sensitive customer or procurement details unless logging is controlled, disable cron/on-demand updates unless needed, and add log retention, redaction, access controls, and a safer file-prune workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp1

High
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The script loads environment variables via load_dotenv(), which implies access to secrets such as API keys even though the manifest does not declare any environment-variable capability. This creates a permission-model mismatch: the skill can depend on undeclared secret material, making review and containment harder and potentially exposing credentials through misuse or later code changes.

Lp1

High
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The script performs outbound network access via the Tavily API, but the declared permissions only cover local filesystem read/readwrite paths. This creates a capability mismatch: the skill can exfiltrate data or fetch untrusted remote content without that behavior being represented in the manifest, undermining user and platform trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This logger persistently records user inputs, tool payloads, AI decisions, and retrieval results to disk, which expands the skill's behavior beyond a simple knowledge-assistant role into data retention and surveillance. In this context, the skill handles potentially sensitive business queries and document contents, so silent persistence materially increases privacy and insider-exposure risk.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script performs bulk synchronization and cleanup of a filesystem tree, which goes beyond a user-facing knowledge assistant's stated purpose of answering equipment queries. Even if intended for maintenance, this materially expands the skill's operational scope and creates risk of unintended file propagation or deletion if the source contents or hash state are manipulated.

Scope Creep

High
Confidence
97% confidence
Finding
The code copies files into D:\code\openclaw_lakeskill\files, while the manifest only declares readwrite access to D:\code\openclaw_lakeskill\. Writing outside the declared writable scope violates the permission model and can enable unauthorized persistence or cross-skill data modification if executed in a less constrained environment. In this skill context, an ingestion utility should be especially tightly scoped because it processes bulk external content rather than user queries.

Scope Creep

High
Confidence
95% confidence
Finding
The cleanup routine deletes files from the destination when they are absent from the current source scan, creating destructive synchronization behavior without any safeguard, confirmation, or manifest-level justification. If the source directory is incomplete, tampered with, or temporarily unavailable, legitimate destination files can be removed, causing data loss or service disruption.

Scope Creep

High
Confidence
97% confidence
Finding
The code references D:\code\openclaw_lakeskill\files and D:\code\openclaw_lakeskill\water-knowledge-assistant\vector_store, which are outside the manifest-declared paths (outerfiles and the skill root). This bypasses the declared file-scope boundary and could let the skill read or rely on data the reviewer did not authorize, undermining sandbox expectations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The query workflow sends data to an external embedding service at dashscope.aliyuncs.com, but the manifest describes a local knowledge assistant and does not justify network egress or third-party processing. This can leak user queries or sensitive business terms to an external provider and changes the trust boundary for the skill.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The manifest describes a water-equipment knowledge assistant for querying, recommendation, and comparison, but this code independently pulls external news and mutates the knowledge base. That expands the skill from a local assistant into an autonomous data-ingestion pipeline, increasing supply-chain and prompt/data-poisoning risk from untrusted web content.

Scope Creep

High
Confidence
98% confidence
Finding
The configured output directory is D:\code\openclaw_lakeskill\files\tavily_news, while the manifest only grants readwrite access to D:\code\openclaw_lakeskill\. If enforcement is path-exact or sandbox-based, this is an out-of-scope write target; even if it is technically within a parent tree, the mismatch indicates poor permission hygiene and can bypass intended storage boundaries.

Scope Creep

High
Confidence
97% confidence
Finding
The code makes live external requests to https://api.tavily.com/search without any corresponding network permission in the manifest. In this skill context, that is especially risky because user queries and derived search terms may be transmitted off-platform, and the fetched content is later persisted into the knowledge base.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad generic terms such as '选型', '参数', '对比', and '说明书', which can appear in many unrelated conversations and cause unintended invocation. Accidental activation is risky here because the skill has read/write workspace access, audit logging, and web-search/update capabilities that may process or retain user data outside user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill solicits company, contact person, phone number, and application-scene details for quotation drafting without stating any privacy notice, retention policy, or consent mechanism. Because the same document also describes extensive audit logging, this creates a concrete risk of collecting and storing personal or business-sensitive data without informed user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The audit design explicitly records user input, AI decisions, tool calls, outputs, and identifiers, but the skill does not present users with any visible warning or privacy controls. This is dangerous because users may share product plans, contact details, or procurement information that then becomes persistently logged and queryable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The logger stores raw user inputs and outputs without any indication of user notice, consent, or purpose limitation. For a water-equipment knowledge assistant, user prompts may include procurement details, customer identifiers, internal product comparisons, or operational information, making undisclosed persistence a meaningful privacy and compliance issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User-supplied query text is embedded by a remote API without any explicit warning or consent flow, so users may unknowingly send product, procurement, or operational data off-platform. In a water-equipment knowledge skill, queries may contain commercially sensitive model numbers, pricing intent, or infrastructure details, making silent exfiltration more serious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The on-demand update path forwards raw user_query content to an external API when trigger words are present, with only a local print statement as notice. This can disclose sensitive business terms, customer identifiers, or proprietary equipment interests to a third party without meaningful consent or sanitization.

Ssd 3

Medium
Confidence
95% confidence
Finding
These helper methods write raw user input, AI decisions, and tool inputs/outputs in plain language to disk. If logs are accessed by unauthorized users, copied into backups, or retained too long, they become a secondary disclosure channel for sensitive conversational and operational data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The retrieval logger stores the user's query along with document content snippets and metadata, which can expose proprietary knowledge-base contents or sensitive operational context through the log file. In a knowledge assistant tied to local files, retrieval results may include internal manuals, pricing, or configuration data, making this leakage channel more dangerous than generic telemetry.

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try:
        response = requests.post(url, headers=headers, json=data)
        response.raise_for_status()
        return response.json()
    except Exception as e:
Confidence
93% confidence
Finding
requests.post(url, headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def tavily_search(query, max_results=5, time_range="year", include_domains=None):
    """调用 Tavily API 进行搜索"""
    url = "https://api.tavily.com/search"
    headers = {
        "Content-Type": "application/json",
    }
Confidence
90% confidence
Finding
https://api.tavily.com/

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal