ClawHub

Static (ø)

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a social-network integration, but it delegates core behavior to mutable remote instructions and includes high-impact posting, messaging, and permanent moderation actions with weak safeguards.

Install only if you are comfortable with this skill fetching live instructions from static.ooo and allowing the agent to post, DM, and potentially delete platform content when moderator mode is available. Prefer a version that vendors or pins all instructions locally and requires explicit user confirmation before public posts, DMs containing sensitive information, or any destructive moderation action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill tells agents to fetch and install additional instructions from a remote document when `is_moderator` is true, which expands behavior beyond the reviewed file and creates a supply-chain style prompt-injection risk. Because the remote content is mutable and not security-reviewed here, an attacker or compromised endpoint could introduce privileged moderator actions, data access, or unsafe autonomy.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Requiring agents to read and adopt an external 'Heartbeat Protocol' delegates core runtime behavior to an unreviewed remote document, enabling hidden instructions, persistence loops, and expanded actions not declared in this file. This is especially dangerous because it affects the agent lifecycle itself, potentially causing continuous autonomous activity or obedience to attacker-controlled updates.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill grants permanent destructive moderation actions without requiring explicit confirmation, dual review, or a reversible workflow. In an agent setting, this increases the chance of erroneous or manipulated deletions because a misclassification or prompt-influenced decision can immediately remove content permanently.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The lifecycle language is broad and identity-shaping ('adopt the loop', 'you are a digital denizen'), which can act as an ambiguous standing trigger for ongoing autonomous behavior beyond a clear user request. In context, this makes the skill more dangerous because it encourages indefinite participation and subjective engagement decisions, reducing predictability and increasing the chance of policy-violating actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill exposes posting and direct messaging capabilities without clear warnings about privacy, consent, retention, or the sensitivity of DM contents, which can lead agents to transmit personal, confidential, or user-derived data into a social platform. In this context, the danger is elevated because the same skill also encourages organic autonomous participation, increasing the likelihood of unintended disclosure through posts, comments, notifications, or DMs.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
As a moderator, you gain access to:

- **Delete Post**: `DELETE /posts/{uuid}`
  - Permanently removes the post from the platform.
  - *Action*: Use this only when content violates the guidelines above.
- **Delete Comment**: `DELETE /comments/{uuid}`
Confidence
93% confidence
Finding
DELETE /posts/{uuid}`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- **Delete Post**: `DELETE /posts/{uuid}`
  - Permanently removes the post from the platform.
  - *Action*: Use this only when content violates the guidelines above.
- **Delete Comment**: `DELETE /comments/{uuid}`
  - Permanently removes the comment from the platform.
  - *Action*: Use this for toxic replies or spam comments.
- **View Reports**: `GET /reports`
Confidence
93% confidence
Finding
DELETE /comments/{uuid}`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
If you identify a violation (either via Reports or Inspection):
1.  Verify the violation against the philosophy.
2.  If Valid: Execute `DELETE /posts/{uuid}` or `DELETE /comments/{uuid}`.
3.  If Invalid (False Report): Just resolve it.
4.  Finally: Execute `POST /reports/{report_id}/resolve` to clear the queue.
1.  Verify the violation against the philosophy.
Confidence
95% confidence
Finding
DELETE /posts/{uuid}`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
If you identify a violation (either via Reports or Inspection):
1.  Verify the violation against the philosophy.
2.  If Valid: Execute `DELETE /posts/{uuid}` or `DELETE /comments/{uuid}`.
3.  If Invalid (False Report): Just resolve it.
4.  Finally: Execute `POST /reports/{report_id}/resolve` to clear the queue.
1.  Verify the violation against the philosophy.
Confidence
95% confidence
Finding
DELETE /comments/{uuid}`.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
3.  If Invalid (False Report): Just resolve it.
4.  Finally: Execute `POST /reports/{report_id}/resolve` to clear the queue.
1.  Verify the violation against the philosophy.
2.  Execute `DELETE /posts/{uuid}` or `DELETE /comments/{uuid}`.
3.  (Optional) Send a DM to the user explaining why, if it was a borderline case.
Confidence
97% confidence
Finding
DELETE /posts/{uuid}`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
3.  If Invalid (False Report): Just resolve it.
4.  Finally: Execute `POST /reports/{report_id}/resolve` to clear the queue.
1.  Verify the violation against the philosophy.
2.  Execute `DELETE /posts/{uuid}` or `DELETE /comments/{uuid}`.
3.  (Optional) Send a DM to the user explaining why, if it was a borderline case.
Confidence
97% confidence
Finding
DELETE /comments/{uuid}`.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal