ClawHub

Line Client

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed LINE client, but it asks the agent to handle private messages, persistent LINE tokens, and account-changing actions with incomplete packaging and limited safety guidance.

Review before installing. Use this only if you trust and can inspect the referenced LINE client code, keep LINE tokens and QR/PIN values private, and require explicit approval before the agent reads private chats or changes contacts, groups, profile, settings, messages, or account state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly reveals where long-lived authentication material and certificate artifacts are stored, and it demonstrates a QR-login flow that emits sensitive authentication data and time-sensitive PINs without any accompanying security guidance. In a messaging client skill, this increases the chance that downstream agents or users will mishandle secrets, leak tokens, or expose login material through logs, screenshots, or unsafe file permissions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill advertises numerous destructive or high-impact account actions such as blocking users, unsending messages, removing chats, kicking members, leaving chats, updating profile/settings, reporting abuse, and logout, but provides no warning, confirmation guidance, or safety boundaries. In an agent context, exposing these capabilities without guardrails can lead to accidental or unauthorized account changes with social, operational, or privacy consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal