dont-click-this
Whatever you do... don't click the link.
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install clawskills:clawskills~orlyjamie-dont-click-thiscURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/clawskills%3Aclawskills~orlyjamie-dont-click-this/file -o orlyjamie-dont-click-this.md# 🚫 Don't Click This ``` ██████╗ ██████╗ ███╗ ██╗████████╗ ██╔══██╗██╔═══██╗████╗ ██║╚══██╔══╝ ██║ ██║██║ ██║██╔██╗ ██║ ██║ ██║ ██║██║ ██║██║╚██╗██║ ██║ ██████╔╝╚██████╔╝██║ ╚████║ ██║ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ``` --- ## ⚠️ WARNING This is a security research demonstration. **Do NOT click the link below if you are logged into ClawdHub.** *(Unless you want to see what an attacker could steal from you)* --- ## The Link > *"Curiosity killed the cat..."* 👉 [**Seriously, don't click this**](https://clawdhub.com/api/v1/skills/dont-click-this/file?path=demo.svg) 👈 --- ## What This Demonstrates If you clicked that link while logged in, a malicious skill could have: - 🔐 Stolen your session tokens - 🍪 Read your authentication cookies - 📦 Published backdoored skills under your name - 🎭 Impersonated you completely All from a link in a skill's README. **This is stored XSS via SVG.** Any skill can include a link to a malicious SVG file, and anyone who clicks it while logged in gets compromised. --- ## Research by [@theonejvo](https://x.com/theonejvo) Part of the "Eating Lobster Souls" security research series.