ClawHub

My goal is to support the community and continue creating more useful tools. If these automations prove to be very helpful to you, or if you see value in what I'm sharing, any donation, no matter how small, is welcome and will allow me to dedicate more time and resources to building new templates and contributing more solutions. https://donate.stripe.com/bJe6oGaaQ9JC1jf15gdwc01 Thank you for your interest, and I hope you find them very useful.

Security checks across malware telemetry and agentic risk

Overview

This is mostly a social media content guide, but it under-scopes high-impact posting authority and bulk scraping guidance.

Use this skill for drafting, planning, and content analysis ideas. Before installing, be aware that it may lead an agent toward public posting, scheduling, DMs, comments, or bulk scraping; require explicit approval before any external-account action and only collect platform data through authorized, compliant methods.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to gather 500-1000+ posts from third-party creators and names scraping/automation tools such as Apify and Phantom Buster. In a social-content skill, this goes beyond normal content planning and encourages large-scale collection of third-party platform data, which can violate platform terms, privacy expectations, or enable competitive intelligence abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill claims 'direct access to a scheduling platform that publishes to all major social networks' without requiring confirmation, scoping, or warning about external-account impact. This raises the risk of unauthorized or unintended posting actions if an agent interprets the skill as permission to schedule or publish content directly to connected accounts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal