ClawHub

Social Media Platform

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for building a social media publishing platform; its sensitive behaviors are disclosed and aligned with that purpose, but it needs careful security implementation.

Safe to install as a builder guide, not as a finished secure implementation. Before using it for a real product, add a secrets manager or encrypted token storage, least-privilege OAuth scopes, token revocation, publish confirmations, approval flows for scheduled or bulk posting, and logs showing who published to which account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly proposes storing platform credentials in a generic `credentials (JSONB)` column but gives no guidance on encryption, secret segregation, rotation, least-privilege scopes, or access control. In a social-media publishing system, these tokens often grant direct posting and analytics access to external accounts, so insecure storage can lead to account takeover or unauthorized publishing.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill includes endpoints and workflows for publishing to connected social accounts but does not require explicit user confirmation, account-selection safeguards, dry-run mode, or warnings that actions will post externally. This increases the risk of accidental or unauthorized publication, especially in multi-platform bulk publishing flows where one action can affect several public accounts at once.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal