ClawHub

Platform API Connector

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill helps users set up social platform API access; it handles sensitive credentials, but that behavior is disclosed and central to its purpose.

Install only if you intend to create and manage real social media API credentials. Use the narrowest scopes possible, avoid write/posting permissions unless required, store secrets in a vault or encrypted database fields, restrict database access, never log or paste full tokens into chats or source control, and keep a process for rotating and revoking credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly directs users to obtain and store API credentials and OAuth tokens, but omits any guidance on secure secret handling, encryption, least-privilege access, or redaction. In a credential-management skill, that omission is dangerous because users are likely to persist highly privileged tokens in insecure storage, logs, or shared databases.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example storage blocks normalize storing raw app secrets, access tokens, refresh tokens, and bearer tokens in plain structured data without any security caveat. Because these examples are likely to be copied directly, they encourage insecure secret storage patterns that could lead to account takeover, unauthorized posting, API abuse, or data access if the database or logs are exposed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The proposed schema stores arbitrary platform credentials in a JSONB column, which strongly suggests long-term storage of raw secrets in a general-purpose application table. Without guidance on encryption, key management, row-level access controls, audit logging, and secret separation, this creates a realistic path to credential compromise through DB leaks, insider access, backups, or overly broad queries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This documentation discusses handling app secrets, OAuth tokens, and especially long-lived or non-expiring tokens without explicit warnings about secure storage, logging avoidance, least-privilege use, or credential rotation. In a skill specifically designed to help users obtain and store platform API credentials, that omission increases the chance that operators will mishandle powerful tokens and expose accounts or API integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal