AI SkillHub — 知识策展系统

Name: ai-skillhub
Author: eeyan2025-art

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill is riddled with command injection vulnerabilities, exposing sensitive

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

AI SkillHub — 知识策展系统: 支持两种格式： - `!skill <关键词> <URL>` — 指定关键词 - `!skill <URL>` — 自动从内容标题生成关键词

Actually does

The skill fetches content from a provided URL using `web_fetch` or extracts subtitles from Bilibili/YouTube videos via `exec` running a Python script. It then saves the raw content to `/tmp/raw_content.md`, generates a summary using `llm-task`, and finally uses `exec` to clone a GitHub repository (specified by `GITHUB_REPO` and `GITHUB_TOKEN`), add the content and summary, commit, and push to GitHub.

Threat Analysis

AI Agent Traps ↗Scanned 4/19/2026

Content InjectionPerception2 findings

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction12 findings

SystemicMulti-Agent Dynamics1 finding

Human-in-the-LoopHuman Overseer2 findings

Skill Info

Nameeeyan2025-art/ai-skillhub

Registryclawhub

Version3.0.0

PURLpkg:clawhub/eeyan2025-art/ai-skillhub@3.0.0

Downloads189

Source

Repository ↗

SHA-2568e92a9b567d9...

SHA-1e9c4e37ef755...

MD5e0376e3977bf...

TLSHe771d8208ce7...

Size3,792 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/eeyan2025-art/ai-skillhub

189 downloads

ClawHubDocs

openclaw skills install eeyan2025-art/ai-skillhub

Assessments (5)

AI Agent Traps ↗

Access to sensitive environment variables detectedcriticalcredential theft

Access to sensitive environment variables detected

100% confidenceline 103

${GITHUB_TOKEN}

Command Injection via user-controlled keywordcriticalcommand execution

The user-provided or derived `keyword` is directly interpolated into multiple `exec` commands (e.g., `mkdir`, `cp`, `git commit`). This allows an attacker to inject arbitrary shell commands by crafting a malicious `keyword` containing shell metacharacters.

100% confidenceline 103

mkdir -p skillhub_repo/skills/{keyword}, git -C skillhub_repo commit -m 'Add skill [{keyword}]'

Command Injection via user-controlled URL in execcriticalcommand execution

The `url` parameter, which is user-controlled, is directly passed to a `python3` script via the `exec` tool. If the Python script or the shell command itself does not properly sanitize the `url`, it could lead to command injection.

100% confidenceline 56

command": "python3 ~/.openclaw/scripts/yt_transcript.py {url} 2>&1"

Command Injection via fetched content in here-documentcriticalcommand execution

Content fetched from a user-provided URL is directly inserted into a shell 'here-document' (`cat > /tmp/raw_content.md << 'RAWEOF' ... {content} RAWEOF`). A malicious URL could return content containing the `RAWEOF` delimiter or other shell escape sequences, allowing an attacker to inject arbitrary commands.

100% confidence

command": "cat > /tmp/raw_content.md << 'RAWEOF'\n...\n{Step 2 返回的完整内容}\nRAWEOF"

Potential Data Exfiltration via git operationshighdata exfiltration

The skill performs `git clone` and `git push` operations using an environment variable `GITHUB_TOKEN`. If command injection is successful, an attacker could potentially modify the remote repository URL or exfiltrate other files from the agent's environment to an attacker-controlled repository.

90% confidence

git clone "https://${GITHUB_TOKEN}@github.com/${GITHUB_REPO}.git" skillhub_repo

Arbitrary Command Execution via exec toolcriticalcommand execution

The skill explicitly instructs the agent to use an 'exec' tool to run arbitrary shell commands, including git clone, file writes, and a Python script. This enables unrestricted code execution on the host system.

100% confidenceline 71

"tool": "exec",
"command": "cd /tmp && rm -rf skillhub_repo && git clone ...

Credential Theft via GITHUB_TOKEN in Shell Commandcriticalcredential theft

The skill embeds the GITHUB_TOKEN environment variable directly into a git clone URL via shell interpolation. This exposes the token in process lists, shell history, and potentially in logs. The token is used to authenticate to GitHub without any validation of the target repository.

100% confidenceline 103

git clone \"https://${GITHUB_TOKEN}@github.com/${GITHUB_REPO}.git\"

Shell Injection via Unvalidated URL and Keywordcriticalcommand execution

User-supplied URL and keyword values are interpolated directly into shell commands without sanitization or quoting. An attacker could craft a malicious keyword or URL containing shell metacharacters (semicolons, backticks, $()) to execute arbitrary commands.

95% confidenceline 44

"command": "cat > /tmp/raw_content.md << 'RAWEOF'\n...\n- URL: {url}\n- 关键词: {keyword}" and mkdir -p skillhub_repo/skills/{keyword}

Arbitrary Python Script Execution on Hosthighcommand execution

The skill instructs the exec tool to run a Python script located at ~/.openclaw/scripts/yt_transcript.py with a user-controlled URL as argument. This executes code from a potentially untrusted path and passes unsanitized user input as an argument.

95% confidenceline 56

"command": "python3 ~/.openclaw/scripts/yt_transcript.py {url} 2>&1"

Data Exfiltration via GitHub Pushhighdata exfiltration

The skill automatically pushes fetched web content and generated summaries to an external GitHub repository. The target repository is controlled by GITHUB_REPO environment variable, which could be attacker-controlled, enabling exfiltration of processed data.

85% confidenceline 73

git clone "https://${GITHUB_TOKEN}@github.com/${GITHUB_REPO}.git" skillhub_repo && ... && git -C skillhub_repo push origin ${GITHUB_BRANCH:-main}

Unvalidated External URL Fetch (SSRF Risk)highssrf

The skill fetches arbitrary user-supplied URLs via web_fetch without any validation or allowlist. An attacker could supply internal network URLs (e.g., http://169.254.169.254/latest/meta-data/) to perform Server-Side Request Forgery against internal infrastructure.

88% confidenceline 41

"url": "{url}",
"extractMode": "markdown"

Tool Shadowing: Suppressing Legitimate Toolsmediumtool poisoning

The skill explicitly declares that certain tools 'do not exist' and forbids their use, overriding the agent's normal tool availability assessment. This manipulates the agent's tool selection behavior.

80% confidenceline 131

- `extract_content_from_websites`、`audios_understand`、`search` 等工具**不存在**，禁止调用

Prompt Injection via Web-Fetched Contentcriticalprompt injection

User-supplied URLs are fetched and their full content is passed directly into subsequent prompts and shell commands (Step 5 and Step 4). A malicious web page could contain injected instructions that manipulate the agent's reasoning or inject shell metacharacters into exec commands.

97% confidenceline 52

"input": "{Step 2 返回的完整内容}" and "command": "cat > /tmp/raw_content.md << 'RAWEOF'\n...\n{Step 2 返回的完整内容}\nRAWEOF"

Heredoc Content Injection into Shell Commandmediumsyntactic masking

Web-fetched content is written to a file using a heredoc (RAWEOF delimiter). If the fetched content contains the string 'RAWEOF', the heredoc terminates early and subsequent content may be interpreted as shell commands.

85% confidenceline 44

cat > /tmp/raw_content.md << 'RAWEOF'\n...\n{Step 2 返回的完整内容}\nRAWEOF

RAG Poisoning / Knowledge Base Manipulationhighrag poisoning

The skill fetches content from a user-provided URL and uses it as input for an `llm-task` to generate a summary. A malicious URL could provide misleading, biased, or harmful content, which would then be processed and potentially stored in a knowledge base, poisoning the agent's future reasoning.

100% confidence

input": "{Step 2 返回的完整内容}" in llm-task

Autonomy Abuse: No User Confirmation Before Actionshighautonomy abuse

The skill is designed to execute file system writes, external network requests, and git pushes to a remote repository without requesting user confirmation at any step. The workflow proceeds fully automatically after a single trigger command.

90% confidenceline 16

收到！正在处理「{URL}」，预计 1-3 分钟... [then proceeds through all steps automatically including push to GitHub]

Human-in-the-Loop Social Engineeringmediumhuman social engineering

The final notification to the user includes the user-controlled `keyword` and `url`. An attacker could craft these inputs to display misleading information or phishing links, potentially tricking the human overseer.

80% confidence

✅ Skill 已完成：【{keyword}】 ... 📦 来源：{url}

Approval Fatigue: Progress Messages Normalize Actionsmediumapproval fatigue

The skill instructs the agent to send reassuring progress messages after each step, which conditions the human overseer to expect and accept a stream of automated actions without scrutiny.

72% confidenceline 133

每步完成后发一条简短进度消息给用户

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/eeyan2025-art/ai-skillhub.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/eeyan2025-art/ai-skillhub)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/eeyan2025-art/ai-skillhub"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/eeyan2025-art/ai-skillhub.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/eeyan2025-art/ai-skillhub.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow