DoctorClaw Social Drafter

Security checks across malware telemetry and agentic risk

Overview

This is a social media drafting skill with optional approved scheduling, and its behavior is disclosed and aligned with that purpose.

Install if you want help drafting social posts. Before connecting Buffer, Hootsuite, direct platform APIs, or a shared content calendar, make sure your agent must ask for final approval before posting or scheduling and only has access to the intended accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill states that if a posting tool is connected, it can schedule approved posts and log posted content to a content calendar, but it does not prominently warn that this affects external accounts and stored data. In an agent setting, this can normalize state-changing actions and increase the chance of accidental posting, unwanted scheduling, or persistence of sensitive business content without clear confirmation boundaries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal