Back to plugin

Security audit

Instagram API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate ClawHub CLI, but it can publish local skill folders in a surprising default path when a token is stored.

Install only if you intend to use this CLI for ClawHub publishing and package management. Avoid running it with no subcommand in tokened CI or headless environments; prefer explicit commands such as `clawhub sync --dry-run`, review the detected files, and use `.clawhubignore` for anything that must not be uploaded.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:231
Evidence
const apiKey = [REDACTED] || readAgntConfig()?.apiKey