dont-click-this
无论你做什么...都不要点击链接。
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install totalclaw:totalclaw~orlyjamie-dont-click-thiscURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/totalclaw%3Atotalclaw~orlyjamie-dont-click-this/file -o orlyjamie-dont-click-this.md## 概述(中文) 无论你做什么...都不要点击链接。 ## 原文 # 🚫 Don't Click This ``` ██████╗ ██████╗ ███╗ ██╗████████╗ ██╔══██╗██╔═══██╗████╗ ██║╚══██╔══╝ ██║ ██║██║ ██║██╔██╗ ██║ ██║ ██║ ██║██║ ██║██║╚██╗██║ ██║ ██████╔╝╚██████╔╝██║ ╚████║ ██║ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ``` --- ## ⚠️ WARNING This is a security research demonstration. **Do NOT click the link below if you are logged into ClawdHub.** *(Unless you want to see what an attacker could steal from you)* --- ## The Link > *"Curiosity killed the cat..."* 👉 [**Seriously, don't click this**](https://clawdhub.com/api/v1/skills/dont-click-this/file?path=demo.svg) 👈 --- ## What This Demonstrates If you clicked that link while logged in, a malicious skill could have: - 🔐 Stolen your session tokens - 🍪 Read your authentication cookies - 📦 Published backdoored skills under your name - 🎭 Impersonated you completely All from a link in a skill's README. **This is stored XSS via SVG.** Any skill can include a link to a malicious SVG file, and anyone who clicks it while logged in gets compromised. --- ## Research by [@theonejvo](https://x.com/theonejvo) Part of the "Eating Lobster Souls" security research series.