ClawHub

Pinterest

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Pinterest browsing purpose, but it needs review because its helper script can install software at runtime without explicit approval.

Review before installing or running the helper script. The Pinterest browsing and image-sending behavior is expected for this skill, but the Python helper should not install packages automatically; install dependencies deliberately in a controlled environment. If using OAuth, provide only read-only Pinterest scopes, protect the token, and avoid sending screenshots or media unless they are clearly the requested Pinterest content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("Installing httpx...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "httpx", "-q"])
    import httpx
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "httpx", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes browser navigation, messaging, shell commands, and environment-variable use but does not declare corresponding permissions or trust boundaries. This creates hidden capability exposure: reviewers and orchestrators may allow the skill to run without understanding that it can access network resources, read secrets from the environment, and execute local commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior exceeds the stated purpose by introducing scraping and authenticated access to user boards/pins via OAuth-backed API calls. This mismatch is dangerous because users and platform reviewers may consent to a simple public-image browsing skill while the skill can also access account-linked resources and perform higher-risk actions than advertised.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill description suggests public Pinterest browsing, but the code also exposes authenticated listing of the user's boards and board pins. This mismatch can lead to unintended access and disclosure of personal Pinterest data because users may invoke the skill without realizing it can operate on their private/account-scoped content.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The function is presented as query-based API search, but it actually ignores the query and returns the authenticated user's own pins. This is dangerous because a user or downstream agent expecting public search results could instead retrieve and expose account data, creating a privacy and least-surprise failure.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The misleading docstring/comment masks account-scoped data access as generic search functionality. In agent workflows, deceptive or inaccurate capability descriptions increase the chance that private user content is accessed or disclosed under false assumptions about what the tool does.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Self-installing a dependency via pip at runtime is unnecessary for the claimed browsing purpose and introduces supply-chain risk plus unreviewed code execution. In a skill ecosystem, this is especially dangerous because tool execution may occur automatically and users may not expect package installation side effects.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation text is broad enough to route many generic inspiration or image-seeking requests into this skill, increasing unnecessary invocation of web browsing and third-party content handling. Over-broad triggering expands attack surface and can cause the skill to engage in scraping, media transfer, or account-linked actions in contexts where the user did not specifically ask for Pinterest.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to forward externally hosted Pinterest images directly to users, but provides no privacy, licensing, or third-party transfer safeguards. Sending remote media can leak user interaction metadata to external hosts, redistribute copyrighted or unsafe content, and bypass opportunities for content inspection or user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly states that the skill uses web scraping as a fallback for broader Pinterest search, but it provides no warning about the legal, privacy, account-security, or terms-of-service implications of scraping a consumer website. In this skill's context, that omission matters because the agent may rely on scraping to obtain user-requested content and send images onward, increasing the chance of undisclosed collection, blocking, or account issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to export a live Pinterest access token directly in the shell without warning about secure secret handling, shell history retention, terminal logging, or safer secret-loading methods. This can lead to accidental credential exposure on shared systems, in shell history files, CI logs, screenshots, or support transcripts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script installs software without warning or confirmation, changing the host environment and potentially executing package-provided code. Even if intended for convenience, silent installation violates user expectations and creates avoidable security and integrity risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal