ClawHub

Telegram Channel Operator

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Telegram content-writing skill with no executable code, persistence, or hidden data access, though users should only use the identity-specific voice when appropriate.

Install only if you want help drafting or auditing Telegram channel content. Review any posts before publishing, especially token or trading-related posts, and use the ArewaOS/Zahra/Kano identity framing only when you are actually representing that project or have permission to use that voice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough to trigger on generic social-media or content requests, which can cause the agent to invoke this skill outside its intended Telegram/Web3/AI niche. Over-broad routing increases the chance of irrelevant or policy-bypassing behavior because the skill may steer outputs toward channel operations, token commentary, or promotional content when the user asked for something more general.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill prescribes a specific regional/community voice ('Nigerian/Web3 community voice') as an input option and later reinforces ArewaOS-specific identity cues, which can lead the agent to adopt culturally specific identity framing without clear user opt-in. This is risky because it may impersonate a regional identity, misrepresent authorship, or produce culturally loaded messaging that the user did not request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal