ClawHub

My goal is to support the community and continue creating more useful tools. If these automations prove to be very helpful to you, or if you see value in what I'm sharing, any donation, no matter how small, is welcome and will allow me to dedicate more time and resources to building new templates and contributing more solutions. https://donate.stripe.com/bJe6oGaaQ9JC1jf15gdwc01 Thank you for your interest, and I hope you find them very useful.

Security checks across malware telemetry and agentic risk

Overview

This social media skill is mostly a content strategy guide, but it claims publishing access and recommends large-scale scraping without clear consent, scope, or compliance safeguards.

Install only if you are comfortable with a skill that may guide social scheduling, public posting workflows, and bulk social-content research. Keep it draft-first, manually approve every post or scheduled item before it reaches a public account, and use only platform-approved exports or lawful data sources for competitor/content analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill states it has direct access to a scheduling platform that publishes to major social networks, which expands it from advisory behavior into external-action capability. Without explicit user confirmation, scope limits, or safety messaging, this can enable unintended or unauthorized posting to third-party accounts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The reverse-engineering section encourages collecting 500-1000+ posts using scrapers and automation tools such as Apify and Phantom Buster. That goes beyond normal content assistance and can facilitate mass scraping of third-party platform data, creating privacy, terms-of-service, and abuse risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Describing direct publishing/scheduling capability without warning that content may be sent to external social networks creates a hidden side-effect risk. Users may reasonably expect brainstorming help, not outbound posting, which raises the chance of accidental publication, reputational harm, or misuse of connected accounts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal