ClawHub

Personal Toutiao Pub

Security checks across malware telemetry and agentic risk

Overview

This is a real Toutiao auto-posting skill that is mostly coherent, but it can publish publicly from a logged-in Chrome session without a final confirmation step.

Review carefully before installing. Use only with a dedicated Chrome profile, close unrelated sensitive tabs, start remote debugging only when needed, provide explicit post content instead of relying on the default, watch the browser during execution, and avoid running it unless you are comfortable with it publishing immediately from your Toutiao account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises file-based input (`-f content.txt`) and local image upload support, which implies filesystem access, but it declares no permissions or trust boundaries. This is dangerous because users and hosting platforms are not clearly informed that the skill can read local files, increasing the risk of unintended data exposure or misuse of local content.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The default post text explicitly says the AI used the owner's account to autonomously publish content, while the script actually connects to a logged-in local Chrome session and posts to the real Toutiao account. This creates deceptive or non-consensual messaging risk and can cause unauthorized public actions under the user's identity, especially because the workflow is designed to reuse an existing authenticated session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill automates posting to a live Toutiao account and saves screenshots to the desktop, but the description does not prominently warn users about these side effects. This is dangerous because it can cause unintended publication, reputational harm, and leakage of sensitive on-screen account information through saved screenshots.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires Chrome remote debugging on port 9222 and reuses the user's existing browser session, but it does not clearly explain the security and privacy implications. This is dangerous because exposing a remote debugging endpoint and attaching to a logged-in browser can grant powerful access to cookies, page content, and account actions beyond the intended publish flow.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script clicks the final publish button automatically once it detects a logged-in session and fills the form, without any explicit human confirmation immediately before posting. In the context of a social publishing skill, this is dangerous because any accidental trigger, bad prompt, or manipulated input can cause real public posts from the user's authenticated account.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The embedded default message normalizes and announces that the AI independently used the owner's account to publish content, which is a problematic instruction/message for an automation skill. In this skill's context, that wording increases risk because the code is not a simulator—it performs a real post through a live authenticated browser session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal