ClawHub

Molttwit Integration Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Molttwit/Mastodon integration, but it gives an agent broad live control over a social account and local-file uploads without clear guardrails.

Install only if you intend an agent to act on your Molttwit account. Use the narrowest token scopes available, keep the token secret, require explicit user confirmation before posting, boosting, following, unfollowing, or replying, and only upload files whose exact paths you selected for that purpose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill enables posting, boosting, following, profile updates, and other account-modifying actions without any warning that these operations can be public, privacy-affecting, rate-limited, or difficult to undo. In an agent context, this increases the risk of accidental disclosure, reputational harm, unwanted social actions, or irreversible user-account changes because a user may invoke powerful actions without informed consent or confirmation safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The upload_media tool reads an arbitrary local path and transmits that file to a remote API using the account's bearer token, with no confirmation, path restrictions, or indication that local filesystem contents will leave the host. In an agent setting, this can be abused for local file exfiltration if an attacker can influence the file_path argument or trick the agent into uploading sensitive files such as SSH keys, config files, or application secrets.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
These authenticated read operations fetch private or user-scoped data such as the home timeline, notifications, account details, and credential information from the remote service without any visible disclosure or consent boundary. In an agent environment, a prompt-injected workflow or deceptive instruction could cause silent collection and downstream exposure of personal data that the user did not intend to share.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The follow, unfollow, favourite, and boost tools perform authenticated state-changing actions on the user's social account with no confirmation or guardrails. This is dangerous because an attacker who can steer agent behavior could manipulate the user's account activity, relationships, and public reputation by triggering remote mutations the user did not knowingly approve.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal