Security audit

SocialVault

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed social-account credential vault, but it asks users to hand over live session cookies and can reuse them for automated account actions and refreshes.

Install only if you intentionally want OpenClaw to store and reuse social-platform login sessions. Treat pasted cookies like passwords, use a dedicated low-risk account where possible, avoid write-capable tokens unless needed, disable or closely monitor automatic refresh, and revoke/logout sessions if any cookie was pasted into the wrong place.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares powerful capabilities via tools and documented behavior—shell execution, browser automation, and outbound network access—without an explicit permissions model that matches that risk. For a credential-management skill, this mismatch is dangerous because it can process secrets and transmit them off-host while appearing less privileged than it really is, reducing user scrutiny and policy enforcement.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document states that no external credentials are needed, but later allows storage and use of client_id/client_secret and refresh-related credentials for token renewal. This inconsistency can mislead users and operators about the sensitivity of data handled by the skill, causing underprotection of secrets and unsafe deployment assumptions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill claims network requests are limited to declared external_endpoints, but the later trusted-domain list and adapter creation flow clearly contemplate requests to additional domains not listed in the manifest. In a credential vault, this discrepancy is high risk because cookies and tokens may be attached to verification or refresh requests, enabling undeclared data egress to broader destinations than reviewers expect.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The front-matter session_check metadata says to validate against `/explore` with success indicator `userId`, but the body documentation says validation should call `/user/profile/me` and look for authenticated profile content. In a credential-management skill, inconsistent health-check logic can misclassify expired or invalid sessions as healthy, causing unsafe reuse of stale credentials, failed automation, or accidental repeated login/refresh actions that increase account-lock or detection risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This file explicitly documents handling `BDUSS`, a long-lived Baidu authentication cookie that is valid across multiple Baidu services, yet it does not clearly warn users that possession of this cookie can enable broad account access beyond Tieba. In a credential-management skill that supports import, storage, health checks, and automation, normalizing collection of such a cross-service session token materially increases the risk of account takeover, privacy compromise, and misuse if the token is leaked, reused, or over-retained.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents live account actions such as posting replies/comments and liking content using authenticated Zhihu sessions, but it does not include an explicit warning that these actions will affect the user's real account. This can lead to unintended posts, engagement actions, reputation damage, or account penalties if an agent executes them without clear user awareness and confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to paste high-value authentication cookies, including z_c0 as the core auth token and d_c0 as a device identifier used in request signing, without an explicit security/privacy warning about the sensitivity of these credentials. If mishandled, logged, exposed to other tools, or reused beyond the intended scope, these cookies could enable full account access and impersonation until expiry.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest describes a credential-management skill in broad terms ('managing social media account credentials, importing cookies, checking login status, or automating session refresh') without explicit activation boundaries, user-consent requirements, or platform-specific preconditions. Because this skill handles highly sensitive authentication material, overly broad trigger language increases the chance it is invoked for generic requests involving credentials or sessions, which can lead to unnecessary exposure or unsafe automation of account access.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The guide explicitly tells users to export live Bilibili session cookies and paste them into another agent. Session cookies and CSRF tokens are bearer secrets that can grant account access and enable authenticated actions, but the instructions do not clearly warn users about that risk or require a narrowly scoped, trusted transfer path.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The alternate methods instruct users to copy full cookie values from document.cookie and from HTTP request headers, which exposes the complete authenticated session in plain form. Without privacy and security warnings, users may disclose reusable secrets through the clipboard, console history, screenshots, logs, or an untrusted agent context.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The guide explicitly instructs users to copy a long-lived authenticated `BDUSS` cookie from request headers and paste it into another agent, but it does not prominently warn that this cookie functions as a bearer credential granting account access. Because `BDUSS` is described as valid for months and shared across Baidu products, disclosure could enable sustained account takeover or unauthorized access across services.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The document recommends exporting `STOKEN` for write operations without a strong warning that this expands capability from read/access validation into account-modifying actions such as posting or replying. Encouraging users to hand over both session and write-capable tokens materially increases the blast radius if the receiving agent, storage, logs, or operators are compromised.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The guide explicitly tells users to copy full authenticated Xiaohongshu cookies and paste them into an agent, but it does not clearly state that these values are bearer-style session credentials that can grant account access. In the context of a credential-management skill, this is especially dangerous because users may normalize sharing live session tokens without understanding that anyone with the cookie can act as them until expiry or revocation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document recommends enabling automatic activity renewal to extend cookie validity, but does not clearly explain that this performs automated account activity on the user's behalf. In a social-platform credential manager, this increases risk because it can surprise users, create compliance or account-policy issues, and maintain compromised sessions for longer if credentials are mishandled.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to export cookies via browser tools and plugins and copy them through the clipboard, but omits basic operational-security warnings about clipboard history, shared machines, screenshots, browser extensions, and other insecure storage/transmission paths. Because the data are active session tokens, accidental exposure through these channels can directly enable account takeover.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The guide explicitly instructs users to export authenticated Zhihu cookies and paste them into an external agent, but does not warn that these values function as bearer credentials. Anyone with the copied cookies can potentially hijack the logged-in session, access the account, and act as the user until expiry or revocation.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The network-inspection workflow teaches users to extract complete authenticated request headers from developer tools, which can expose the full cookie set and other sensitive session data. This materially increases the chance of credential leakage, clipboard compromise, accidental oversharing, and unauthorized account access, especially because the document presents it as a fallback path without strong safety guardrails.

Ssd 3

High

Confidence: 98% confidence
Finding: Telling users to paste active session cookies into another agent is direct handling of authentication secrets in plain language. In this skill context, the agent is a credential manager, so the behavior is aligned with intended functionality, but it still materially increases the risk of account takeover if the destination, storage, logs, or transport are compromised.

Ssd 3

High

Confidence: 96% confidence
Finding: The document.cookie method instructs users to retrieve and share the browser's live cookie string, exposing session material in a highly copyable and leak-prone format. This is dangerous because clipboard contents, terminal or browser tooling, chat transcripts, and debugging artifacts can all retain the secret and enable replay by an attacker.

Ssd 3

High

Confidence: 98% confidence
Finding: Copying the Cookie header from authenticated network traffic exposes the full browser session exactly as sent to the service, which is sufficient for replay in many cases. This method is especially risky because it encourages harvesting secrets from live traffic without emphasizing that these values are effectively account credentials.

Ssd 3

High

Confidence: 99% confidence
Finding: This is a direct natural-language request for users to extract authenticated Baidu session cookies and disclose them to the agent. In the context of a credential-management skill, that makes the finding more dangerous rather than less, because the workflow is purpose-built to centralize valuable secrets and normalize sharing bearer tokens with an automated system.

Ssd 3

High

Confidence: 99% confidence
Finding: The guide repeatedly tells users how to retrieve `BDUSS` and `STOKEN` from browser storage and share them, which is effectively soliciting disclosure of account secrets. Repetition across multiple methods lowers user hesitation and increases the likelihood of unsafe handling of credentials that can authenticate or authorize actions on Baidu services.

Ssd 3

High

Confidence: 98% confidence
Finding: The plugin-based flow directs users to export cookies to the clipboard and paste them into the agent, creating an easy exfiltration path for authenticated session material. Clipboard export is especially risky because other software may read clipboard contents, users may paste into the wrong destination, and the resulting JSON may include more cookies than necessary.

Ssd 3

High

Confidence: 98% confidence
Finding: These steps instruct the user to retrieve authenticated Xiaohongshu session cookies from request headers and paste them into another agent in plain workflow language. That is a direct credential-transfer pattern: the values include live session state and can be reused to impersonate the account without the password or MFA until they expire or are revoked.

Ssd 3

High

Confidence: 99% confidence
Finding: The guide tells users to run `document.cookie` and share the output with the agent, which is an explicit instruction to extract browser-held authentication material and disclose it. In this skill's context, that materially lowers the barrier to exfiltrating live session credentials and normalizes unsafe handling of highly sensitive secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal