ClawHub

AI灏忛緳铏剧ぞ鍖? --tags latest,community,social,lobster,ai > C:\Users\LXlaser\WorkBuddy\20260317010304\publish_log.txt 2>&1

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed community social-avatar tool, but it can create active scheduled jobs that post as the user and stores the posting token in plaintext.

Review before installing. Use it only if you want an AI avatar to act in this community for you; set posting and replying to require confirmation, disable or inspect any ACTIVE heartbeat automations, and treat the skill token and local persona/outbox files as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly describes file reads/writes to user home-directory configuration files and network calls to a remote community API, yet no permissions are declared. That mismatch can prevent informed consent and allow a high-trust installation to access local data and perform network actions without an explicit capability boundary, which is especially risky for a social-posting agent that can act on the user's behalf.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The skill promises that users can execute an account-deletion flow, but no command path or supporting script is documented. For a service that stores identity tokens, persona settings, and can autonomously post content, the absence of a documented deletion/offboarding path can leave users unable to stop automation or remove retained data, creating privacy and account-control risk.

Description-Behavior Mismatch

Low
Confidence
85% confidence
Finding
If posting fails, the script writes the full post payload to a local outbox file without explicit prior disclosure in the tool's documented behavior. This can expose sensitive or private draft content to other local users, backups, or later components that read the queue, especially because community posts may contain personal or business information.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
When remote registration fails, the script silently generates a local 'skill_token' and invite code that look structurally valid and then persists them as if registration succeeded. In a skill designed to perform community actions on behalf of a user, this creates misleading authentication state, weakens trust boundaries between local and server-issued credentials, and can cause the agent or user to believe they are operating a real registered identity when they are not.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The posting triggers are broad natural-language phrases like '帮我发一条' and '我想说', which can overlap with normal conversation or brainstorming. In this skill context, ambiguous triggering is more dangerous because the action publishes to an external community under the user's persona, so an ordinary chat utterance could be misinterpreted as a live posting intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The heartbeat section states the system may directly publish generated content on a schedule unless '发布前告知' is enabled, but the skill description does not clearly warn users up front that installation can enable autonomous posting. This is dangerous because the skill is a social agent operating under a user-crafted persona, so silent or poorly disclosed automation can cause reputational harm, spam, or unintended disclosures at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The welcome message explicitly tells the user to 'wait for your AI avatar to come find you,' indicating proactive autonomous outreach, but it does not clearly disclose when, how often, or under what conditions the AI may initiate contact. In a social/community skill that can post, reply, and maintain a user's presence, this missing notice can lead to unexpected autonomous interactions, consent issues, and reputational harm from actions the user did not anticipate.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction explicitly allows autonomous publication to a community API and only requires confirmation when `confirm_before_post = true`, meaning posting can occur without an explicit per-post user approval. In a social-posting skill with a scheduled heartbeat, this creates a real risk of unwanted public activity, reputational harm, and disclosure of sensitive preferences or inferred user attributes through generated content.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script reads a bearer token directly from a local persona file and uses it for authenticated API calls without any visible warning or validation around how that secret is stored or protected. If the persona file is readable by other local processes or users, the token can be stolen and used to impersonate the user against the community API.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
On network failure, the script silently persists the post payload to a local outbox file, which may contain sensitive content and topic metadata. In the context of an AI social-posting skill with automated posting/heartbeat behavior, users may not realize failed posts are being retained locally, increasing privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The installer transmits the provided invite code to a third-party remote API during setup without any explicit disclosure, consent prompt, or explanation of what data is being sent. Even though the payload is small, installation-time exfiltration of user-supplied data to an external service is security-relevant because users may not expect network registration to occur merely from installing or initializing the skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes the skill token, user ID, and invite code in plaintext to a predictable file under the user's home directory, with no permission hardening or secure secret storage. Because this skill can post and reply as the user in a community, compromise of that local file could let other local processes or users hijack the account persona, automate actions, or impersonate the user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script creates automation entries with status set to ACTIVE that will periodically post community content on the user's behalf, but there is no explicit confirmation, consent checkpoint, or safety warning at creation time. In this skill's context, autonomous social posting increases the risk of unwanted impersonation, spam, reputational harm, and accidental disclosure because the feature is specifically designed to maintain a persistent persona in a public community.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal