ClawHub
Back to skill

Security audit

SeedDrop

Security checks across malware telemetry and agentic risk

Overview

SeedDrop appears to be a real social-engagement assistant, but it needs review because it uses live social-account cookies, browser/API automation, and subtle promotional reply guidance.

Install only if you are comfortable giving an assistant access to social-platform sessions and public-reply workflows. Use SocialVault, prefer dedicated accounts, keep manual approval enabled, review every draft for honest disclosure, and avoid anti-bot browser fallback or posting actions unless you explicitly approve the exact target and content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (41)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states SocialVault is mandatory and plaintext/local storage is unsupported, but the execution path says the auth bridge performs local fallback automatically. That contradiction can lead operators to unknowingly run with weaker credential handling, increasing the risk of cookie theft, insecure persistence, or accidental credential exposure on disk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The disclaimer claims the tool is not a crawler or scraper, yet the pipeline includes browser-based search, page rendering, and extraction of post links, titles, and excerpts. This mismatch is dangerous because it obscures the actual behavior of the skill from users and reviewers, weakening informed consent, compliance review, and risk assessment for automated collection of third-party content.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The security manifest states that no external endpoints are called, but this file defines and exports generic network request functionality via fetchWithRetry and request header builders. Misleading security metadata can cause reviewers or automated tooling to underestimate the module's network capabilities, which is risky in an agent skill that can act autonomously across external platforms.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The security manifest states that no external endpoints are called, but this file defines and exports generic network request functionality via fetchWithRetry and request header builders. Misleading security metadata can cause reviewers or automated tooling to underestimate the module's network capabilities, which is risky in an agent skill that can act autonomously across external platforms.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module includes browser and API header builders explicitly labeled as anti-detection helpers, including forged browser fingerprinting headers and cookie injection. In the context of a skill designed to search and reply on third-party social platforms, this increases the ability to evade platform controls and automate authenticated actions, raising abuse and account-compromise risk if credentials are mishandled or the behavior violates platform protections.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill repeatedly asserts that SocialVault is mandatory and plaintext credential storage is unsupported, yet the execution pipeline says the auth bridge performs a local fallback automatically. For a skill handling live platform cookies for B站、贴吧、知乎、小红书, undocumented fallback behavior can silently bypass the stated credential boundary and lead to weaker local storage, accidental exposure, or operator misuse under false security assumptions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
This is a true security inconsistency: the documentation promises no plaintext credential storage and mandatory encrypted handling, but the later pipeline language contradicts that guarantee with automatic local fallback. Contradictory security claims are dangerous because users and reviewers may trust the stronger statement while the implementation permits a weaker path for sensitive session cookies.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guidance explicitly advises making brand mentions 'extremely natural' and using vague phrasing to conceal promotional intent. In a generic reply-style template, this is not neutral writing advice; it facilitates undisclosed advertising and deceptive persuasion designed to evade community scrutiny.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section gives operational advice for avoiding moderation triggers and platform risk controls, such as avoiding folded comments, limiting repeated comments, and adapting behavior for new accounts. That is anti-detection guidance which can be used to scale spam, covert marketing, or other abusive activity while reducing the chance of enforcement.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guidance explicitly instructs writers to mention brands 'extremely naturally' using vague phrasing, which is a classic stealth marketing tactic rather than a neutral style recommendation. In the context of a skill named 'seeddrop' and a Xiaohongshu reply guide, this increases the likelihood that the file is meant to disguise advertising as authentic user conversation and evade platform moderation or user detection.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The '种草暗线型' template is not an ordinary conversational reply pattern; it is a structured covert recommendation designed to steer users toward a product category or service under the appearance of personal help. This is dangerous because it operationalizes hidden persuasion and can be used to manipulate platform discussions while avoiding obvious promotional markers.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file includes advice about comment folding, account throttling, and reporting-driven moderation in a way that helps the operator avoid platform risk controls rather than simply format replies. Guidance aimed at reducing detection or penalties for coordinated commenting materially increases the likelihood of abusive campaign use.

Vague Triggers

High
Confidence
96% confidence
Finding
The rule is configured with an `always_on` trigger, so it can be injected into every interaction regardless of user intent or task relevance. In an agent system, overly broad activation increases the chance of unintended instruction application, prompt pollution, and interference with unrelated tasks, which can degrade safety and reliability even if the content itself is not overtly malicious.

Vague Triggers

High
Confidence
94% confidence
Finding
The `always_on` trigger makes this rule activate in essentially every context, which can let a narrowly scoped Vue 2 rule override or interfere with unrelated tasks. In an agent setting, overly broad activation increases prompt-injection and instruction-shadowing risk because the agent may apply these directives outside their intended project context.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The rule manifest uses an `always_on` trigger, which causes the documentation-generation behavior to be active in all contexts rather than only when explicitly invoked. In an agent skill system, broad automatic activation increases the chance of unintended instruction injection into unrelated workflows, causing the agent to generate or prioritize documentation actions when not appropriate.

Vague Triggers

High
Confidence
95% confidence
Finding
The `always_on` trigger causes this rule file to activate unconditionally across all interactions, which can let its behavioral constraints override task-specific context and create a persistent prompt-injection surface. While the content here is mostly procedural guardrails rather than directly malicious instructions, broad unconditional activation increases the blast radius of any flawed, conflicting, or adversarial rule content.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The `always_on` trigger causes this skill to be invoked in every context rather than only when its review/refactor behavior is relevant. That broad activation increases the chance of unintended interference with unrelated tasks, prompt-surface expansion, and accidental application of review instructions where they do not belong.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger list includes broad natural-language phrases such as community engagement and social listening that could match benign conversation and invoke the skill unexpectedly. In this skill's context, unintended invocation is more concerning because the workflow can access credentials, perform platform monitoring, and generate engagement drafts on authenticated accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents a local credential fallback without prominently warning that this reduces security compared with the stated SocialVault-required model. Because the skill relies on high-value session cookies for multiple platforms, downplaying the downgrade materially increases the chance of insecure storage and account compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly shows passing `credential.value` into a browser automation instruction as `cookies`, which normalizes use of raw session material in automated web access. Without guidance on secure storage, scope restriction, redaction, consent, and avoiding logging/exfiltration, developers may handle live session cookies unsafely, enabling account takeover if those cookies are leaked or reused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quickstart directs users to add live platform cookies as credentials but does not warn that these tokens can grant full account access and may expose private data or enable account takeover if mishandled. In this skill context, the risk is elevated because the tool appears designed to automate actions across multiple social platforms, so users may normalize supplying high-value session tokens without understanding the security implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide teaches users how to extract authentication cookies directly from browser developer tools and request headers, including specific token names, without emphasizing that these values are reusable session secrets. That is dangerous because anyone who obtains them can often impersonate the user on the target platform, and the context makes it more serious since the document operationalizes credential harvesting for multiple services and even notes token lifetimes for continued automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reply method sends arbitrary caller-supplied content to Bilibili using the provided authenticated cookie, and this file contains no consent, approval, or policy checks before performing the action. In an agent-skill context, that means any upstream prompt injection, task confusion, or malicious workflow could cause unauthorized posting from the user's account, creating account abuse, spam, or reputational harm.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The adapter sends a raw session cookie as the Cookie header to an external Xiaohongshu endpoint, which grants account access equivalent to the authenticated browser session. In this skill context that is expected for functionality, but it is still security-sensitive because the file performs privileged authenticated requests without any in-file guardrails, scoping, or explicit user-consent handling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The browser fallback serializes the authentication cookie into a returned instruction payload, increasing the chance that the credential is exposed to downstream components, logs, storage, or other agents that process the payload. Because this skill is explicitly packaging reusable session material into data output, the context makes it more dangerous than a simple in-memory authenticated request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal