Hacker News new | ask | show | jobs
by Nextgrid 135 days ago
VirusTotal is completely useless for this though? You need enough people to be pwned by that particular piece of malware for it to be flagged as dangerous, by which point the attackers would've already repacked it so it doesn't match the previous signature.
1 comments
dpoloncsak 135 days ago
Adding on here...

VirusTotal is flagging the trello skill as suspucious because it Does NOT include an API key? Am i expected to share my keys if I want to upload a skill?

https://clawhub.ai/steipete/trello

"Requiring TRELLO_API_KEY and TRELLO_TOKEN is appropriate for Trello access, but the registry records no required env vars while SKILL.md documents them. This omission is problematic: the skill will need highly privileged credentials but the published metadata does not disclose that requirement. The SKILL.md also references 'jq' and uses curl, but these are not declared in the registry entry."

link
inlustra 134 days ago
You’ve completely missed the point, it’s saying that the skill will need you to provide a Trello API key but he hasn’t declared that it will need that

Subsequently they’ve included the use of curl but also haven’t declared that either which means that it _could_ leak your key if you provide it one. That’s why it’s suspicious - virus total has flagged that you should probably review the skill.md

link
dpoloncsak 134 days ago
Oh, I see. Seems obvious you would need an API key in this context but I get the idea that it's an undeclared but required var, which could be shady
link