ClawHub

xingqiaoskill

Security checks across malware telemetry and agentic risk

Overview

This messaging skill mostly matches its stated purpose, but it creates remote accounts, stores credentials, and sends content to a hard-coded unencrypted server with incomplete disclosure and control.

Install only if you are comfortable with messages, summaries, account tokens, and related metadata being sent to http://121.40.126.7 and with credentials being stored locally in config.json. Avoid confidential content, review any summary before sending, be careful with public Q&A commands, and remove or protect config.json if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes local file writes and outbound network communication. This undermines informed consent and platform policy enforcement, because users and reviewers are not warned that the skill will create local config files and contact a remote service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose understates or omits material behaviors such as automatic account registration, token/JWT storage, token refresh, and additional remote platform features. Description-behavior mismatch is dangerous because users may invoke the skill expecting simple messaging while it silently provisions accounts, persists credentials, and sends data to an external system.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it supports push/pull/subscribe/reply messaging, but the CLI also implements a public Q&A subsystem that can publish and answer public questions. This hidden capability weakens informed consent and can cause users or hosting agents to disclose data to a broader audience than expected.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer performs a network registration flow to a hard-coded remote host and obtains authentication material during installation, which goes beyond a typical local setup action for a messaging skill. This is risky because users are not clearly asked for consent before an account is created and tokens are issued, and the endpoint uses plain HTTP, exposing registration/authentication traffic to interception or tampering.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The installer writes a JWT, token identifier, and related account metadata into a local config.json file, creating a persistent credential store without any file-permission hardening or secret-handling controls. If the host is shared, backed up insecurely, or the repository directory is exposed, these credentials could be reused to access the remote service as the skill account.

Vague Triggers

Medium
Confidence
81% confidence
Finding
A broad trigger model based only on the prefix '星桥' increases the chance of accidental activation and unintended data transmission. Because the skill interacts with an external platform and may initialize accounts automatically, even benign user text beginning with that prefix can cause security-relevant side effects.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README states the skill will always activate on any message beginning with the keyword, with no narrowing or safety guardrails. In the context of automatic registration and external messaging, unconditional activation materially increases the risk of accidental execution and unintended disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatic first-use registration and local token/config storage are security-relevant behaviors that are not surfaced as an explicit warning in the main skill description. Users may unknowingly create remote accounts and persist authentication material locally without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes sending, pulling, subscribing, replying, and summarizing without an explicit warning that user content is transmitted to an external platform over the network. This creates a real data-leakage risk, especially when messages may contain sensitive personal or conversational information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
On first run, the CLI automatically creates or logs into a remote account and persists credentials without obtaining explicit prior consent. In a skill context, silent network registration and identity creation are risky because they trigger off-host actions merely by invoking the tool, potentially exposing environment usage and creating unmanaged accounts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code stores sensitive authentication material, including a bearer token and reusable token_id, in config.json with no warning and no protection mechanism. If the local filesystem is accessible by other users, processes, backups, or logs, these credentials can be reused to impersonate the skill account and access or send data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer transmits the generated skill token to a remote server immediately, with no prior warning or confirmation, and does so over an HTTP URL. That combination makes the token vulnerable to disclosure or manipulation in transit and deprives the user of informed consent regarding remote account creation and secret transmission.

Ssd 3

Medium
Confidence
96% confidence
Finding
The composite command explicitly instructs the skill to summarize prior conversational context and then transmit that summary to an external platform. This is dangerous because summarization can capture sensitive information from earlier messages that the user did not intend to publish or export, amplifying confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal