ClawHub

Weibo Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill does perform its stated Weibo posting function, but it needs review because it can publish public posts from a logged-in account, encourages unattended posting, stores post content locally, and includes moderation-evasion guidance.

Review carefully before installing. Use only with an account and browser profile you are comfortable letting automation post from, require explicit confirmation before every live or scheduled post, avoid the hourly/trending-news automation examples, do not follow the sensitive-word evasion advice, and clear or restrict the local state file if post content is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs reading and writing `memory/weibo-state.json` but does not declare any permissions or prominently disclose that persistent local storage is used. Undeclared file I/O weakens the trust boundary for a skill that also performs live posting, because users and reviewers may not realize posting history and content are being retained on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior goes beyond the stated purpose by adding persistent state tracking, local history inspection, and scheduling/state-management concepts that are not clearly disclosed in the manifest description. This mismatch is dangerous because users may invoke what appears to be a simple posting skill without understanding that it may retain metadata/content locally and support additional behaviors outside the advertised scope.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation expands scope from basic posting into scheduled posting and persistent state tracking, which changes the operational and privacy profile of the skill. Scope expansion matters in this context because the skill can cause real public actions and retain a local posting record, so undocumented additions increase the risk of unexpected automation or data retention.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The examples explicitly add autonomous content generation from trending topics and news, which expands the skill from user-directed publishing into agent-driven content creation. In a social-media posting skill, this materially increases the risk of unreviewed, misleading, or policy-violating posts being generated and published without clear user authorization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation includes scheduled and recurring posting workflows such as hourly automation, which are not part of the declared purpose of simple Weibo publishing. In the context of browser automation against a real social platform, this broadens the capability into unattended account activity and raises abuse, spam, and account-suspension risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Using shell command execution for sleep introduces an unnecessary execution primitive that is unrelated to the core task of publishing a post. Even though the shown command is benign, normalizing exec usage inside examples can lead to capability creep and makes it easier for future variants to invoke arbitrary commands in a skill that should only need browser actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This second use of exec for sleeping repeats the same unnecessary command-execution pattern, reinforcing that shell access is acceptable within the skill workflow. In a browser automation skill, introducing command execution is dangerous because it exceeds the stated scope and could be repurposed for host-level actions unrelated to Weibo posting.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The troubleshooting guide introduces host-level process inspection and termination commands (`ps`, `pkill`) that exceed the skill's stated purpose of browser-based Weibo posting. In an agent context, normalizing shell-based process management expands the operational scope and can lead to unintended interference with other local processes or profiles if copied into automation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The example adds arbitrary command execution (`exec(command="sleep 2")`) even though the skill is described as browser automation for posting. Allowing or encouraging shell execution broadens the privilege boundary unnecessarily and creates a precedent for using general command execution in a narrowly scoped skill.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The guide recommends reviewing local memory/log files unrelated to the immediate posting action. In an agent environment, encouraging access to local files can expose unrelated user data and expands the skill beyond its declared posting-only purpose.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation makes a contradictory and likely incorrect claim that Chinese quotation marks or Chinese content require Unicode-escaping for successful posting, despite earlier guidance stating normal Unicode and emoji work directly. Misleading encoding guidance can corrupt content handling, create inconsistent behavior, and push implementers toward brittle transformations that are unnecessary or harmful.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill performs an external side effect by publishing content to a real Weibo account and also instructs modification of a local state file, yet the quick reference contains no explicit user-facing warning, confirmation step, or consent boundary. This increases the risk of unintended posting, accidental account misuse, and silent local-data modification, especially because browser automation can act immediately on a logged-in session.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad enough to match ordinary requests about posting or sharing content, which can cause over-activation of a skill that performs a live public post via an authenticated browser session. In this context, ambiguous invocation is risky because accidental activation could publish user text to a real Weibo account without sufficiently narrow intent matching.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly foreground two sensitive side effects: it will make a live public post and it may write posting history/content to local storage. This is more dangerous here than in a purely informational skill because the action is externally visible, potentially irreversible, and tied to an authenticated social-media account, creating privacy, reputational, and consent risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The automated posting guidance describes repeated social-media activity without warning users about spam risk, account restrictions, or platform enforcement consequences. Given the skill's direct ability to act on a real account, omission of these cautions makes unsafe automation more likely and can lead to account damage or abusive behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation includes `pkill` guidance without clear warning about terminating browser processes. In practice, such commands can disrupt unrelated sessions, destroy unsaved browser state, or terminate the wrong process if the pattern matches broadly.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The recommended workflow invokes shell execution solely to sleep, without disclosing that subprocess execution is part of the flow. Even a harmless example broadens expectations around using shell access in a skill that should remain limited to browser automation.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The workflow again uses shell execution for a delay, reinforcing unnecessary subprocess usage in a posting skill. Repeated undocumented shell examples increase the chance that future extensions will adopt broader command execution patterns.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Mandating Unicode escaping for all Chinese content imposes a language-specific transformation without user opt-in or technical necessity. This can alter user-intended content handling, introduce discrimination-by-design in content processing, and create avoidable reliability issues for one language group.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The summary escalates the earlier flawed guidance into a universal rule that Unicode escaping is required for every post, effectively baking a language-specific policy into the workflow. In context, this is more dangerous because it appears as authoritative final guidance and is likely to be implemented broadly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document provides a complete, ready-to-run workflow for publishing to Weibo via browser automation, including navigation, element interaction, and clicking the send button, without any user-confirmation or safety warning. In the context of an agent skill whose purpose is to post on behalf of a user, this increases the risk of unintended or unauthorized social media actions if invoked with unreviewed content.

Ssd 2

Medium
Confidence
97% confidence
Finding
The troubleshooting advice explicitly suggests using synonyms or adding spaces to get around sensitive-word detection. That is guidance for evading platform moderation controls, which can facilitate posting prohibited content and exposes users or operators to policy and account-enforcement risk.

Ssd 2

Medium
Confidence
96% confidence
Finding
The instructions recommend modifying blocked posts to avoid detection of sensitive words, which again assists in circumventing platform safeguards. In a social-posting skill, this is especially problematic because moderation evasion is closely tied to the core action the skill performs.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal