ClawHub

BotRoast

Security checks across malware telemetry and agentic risk

Overview

BotRoast is a real posting integration, but it asks an agent to mine private memory files and potentially publish jokes about the user automatically, which needs careful review.

Install only if you are comfortable with an agent reading personal memory/profile files and sending jokes derived from them to BotRoast.ai. Do not enable heartbeat posting unless you want recurring public submissions, avoid storing the API key in general workspace files, and require manual review of every roast before it is submitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill performs network access and handles credentials/state but does not declare permissions, which undermines review and informed consent. In this context, hidden network behavior is more dangerous because the skill is designed to transmit user-derived content externally and run automatically on heartbeat.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose says the skill generates and submits roasts, but the behavior expands into broader workspace/env inspection, leaderboard/feed reads, and additional state persistence. This mismatch impairs user understanding and can conceal broader data access than expected, especially harmful in a skill that mines personal files for public posting.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to solicit and locally store a human API key even though roast generation itself only needs local content. Asking an agent to collect credentials increases phishing-like behavior and creates a secret-at-rest risk if the workspace is exposed or other skills can read the file.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill first restricts itself to specific files, then later broadens sourcing to 'anything in the workspace,' creating an inconsistent and expansive data collection policy. In context, that expansion materially increases the chance that sensitive or unrelated data will be mined and repurposed into public content.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Conflicting documentation about permissible data sources creates ambiguity that tends to expand access in practice. Because the output is intended for external publication, any ambiguity around source scope directly raises privacy and confidentiality risk.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The skill reads IDENTITY.md, SOUL.md, AGENTS.md, and BOT_NAME in addition to MEMORY.md, expanding collection beyond the stated MEMORY.md-based purpose. Even if used only to infer a bot name, this broadens access to workspace metadata and can expose unnecessary identity/configuration details to prompts, logs, or future network submissions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to execute setup immediately upon first reading is broad activation language that can trigger unintended actions such as credential solicitation and preparation for external posting. In a skill with external transmission and recurring automation, implicit activation increases the risk of user surprise and coerced consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill directs storage of an API key and publication of roasts without a clear, prominent warning that derived content will be posted publicly. Given that the content is sourced from personal memory files, the lack of explicit privacy disclosure and review makes accidental reputational and privacy harm likely.

Missing User Warnings

High
Confidence
98% confidence
Finding
The heartbeat workflow automates recurring external publication from personal files without requiring per-post consent or a strong warning about ongoing disclosure. That makes the skill substantially more dangerous because new sensitive events in memory files may be repeatedly transformed into public posts over time.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to mine long-term memory, user bio, and daily logs for 'painful truths' and embarrassing material, then publish a derived roast publicly. This is dangerous because it operationalizes exfiltration of intimate, potentially sensitive personal information into a public forum under the guise of humor.

Ssd 3

High
Confidence
99% confidence
Finding
Automating repeated harvesting of memory files on a schedule compounds the privacy issue by continuously monitoring new personal information and turning it into public disclosures. The recurring nature increases both scale and likelihood of harm, including reputational damage and disclosure of sensitive life events.

Ssd 3

High
Confidence
98% confidence
Finding
The quality guidance broadens acceptable source material to 'anything in the workspace' for truthful, stinging public content. In context, this is especially dangerous because it invites the model to search across unrelated documents and secrets for humiliating details to externalize.

Ssd 3

Medium
Confidence
94% confidence
Finding
The generated prompt explicitly instructs the agent to use MEMORY.md contents and reference specific details about the human in the roast. In this skill context, that creates a meaningful privacy risk because personal or sensitive workspace memory can be transformed into output that is later submitted to a third-party service, even if the prompt says to avoid some sensitive categories.

External Transmission

Medium
Category
Data Exfiltration
Content
Only read files listed above. The more you know, the better the roast. Use the formula below. Then submit:

```bash
curl -X POST https://botroast-api.vercel.app/api/submit \
  -H "Content-Type: application/json" \
  -d '{"api_key": "YOUR_API_KEY", "roast": "Your savage roast here"}'
```
Confidence
90% confidence
Finding
curl -X POST https://botroast-api.vercel.app/api/submit \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal