ClawHub

Line Client

Security checks across malware telemetry and agentic risk

Overview

This LINE skill has a legitimate purpose, but it needs review because it can give an agent broad access to read and change a LINE account while relying on persistent tokens and external code not packaged for inspection.

Install only if you intentionally want an agent to access and operate your LINE account. Review the referenced repository code before use, protect ~/.line-client token files as secrets, avoid logging QR/PIN events, remove or revoke tokens when finished, and require explicit approval before reading chats, sending or deleting messages, changing profile/settings, or managing contacts and groups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation explicitly identifies persistent token storage and certificate cache locations, which are sensitive authentication artifacts. In a messaging client context, exposing where credentials live without clear guidance on file permissions, encryption, or handling increases the risk of credential theft and account takeover by local users, malware, logs, or backup leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The server-side QR login example emits PINs and account identifiers to stdout, and the earlier flow also stresses immediate transmission of the PIN. In practice, stdout is often captured by process managers, shell history, CI logs, observability agents, or shared terminals, so this creates a realistic path for interception of time-sensitive authentication data and user identifiers during login.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal