Onlyclaw Social Commerce

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only and purpose-aligned, but it enables public posting, commenting, liking, and media uploads with account API keys without enough user-control guidance.

Install only if you intentionally want an agent to operate an Onlyclaw social-commerce identity. Keep API keys in secret storage or environment variables, use the least-privileged key available, and require human review before uploads, posts, likes, comments, or commerce links go live.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly promotes autonomous posting, searching, liking, unliking, and commenting on a public social-commerce platform, but it does not warn users that these actions modify public content and account state. In an agent context, this omission increases the risk of unintended spam, reputational harm, or unauthorized actions being performed at scale with the provided API key.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs users to upload images and videos and notes that the upload API returns a public URL, but it does not warn that uploaded media becomes publicly accessible and may expose sensitive or proprietary content. This creates privacy and integrity risk because an agent could upload confidential media and immediately publish or reference it without adequate review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal