ClawHub

X 内容策略

Security checks across malware telemetry and agentic risk

Overview

This is a coherent X/Twitter content strategy skill, with the main caution that account diagnosis data may be saved locally and reused later.

Install this if you are comfortable with local retention of X account diagnosis material. For sensitive analytics exports or private account data, ask the agent to confirm before saving, use only the minimum data needed, and request deletion or no reuse of prior strategy files when appropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill specifies default persistence of account diagnostics and historical user information under a predictable user-data path, but it does not require clear notice, consent, or an opt-out before storing that data. This creates a privacy and data-governance risk because users may provide account or performance data for one-time analysis without realizing it will be retained for future use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs collection and storage of analytics exports, post samples, and scraped public-profile data, but provides no privacy notice, consent guidance, retention limits, or handling rules. In a data-analysis workflow, this increases the risk of over-collection, improper storage of personal or account-linked data, and noncompliant scraping or reuse of user data.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to silently read an existing strategy.md file for personalization means previously stored account information is reused without re-confirming the user's intent or awareness. Silent reuse increases privacy risk, can surface stale or sensitive data in later sessions, and undermines user control over how historical profiling information is applied.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill defines persistent storage of profile data, post exports, reports, and strategy artifacts as a default workflow for account diagnosis. That is a real privacy vulnerability because it normalizes long-term retention of potentially sensitive user and account analytics data without explicit consent boundaries, minimization, retention policy, or access controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal