ClawHub

Social Content Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local social-content helper with marketing claims about posting and analytics, but the reviewed code does not publish, connect accounts, call networks, or persist data.

Safe to install as a local content-generation helper based on these artifacts. Do not provide broad social-account tokens or enable any real auto-posting service unless a future version clearly documents scopes, approval controls, data handling, and token revocation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes auto-scheduling, analytics, and competitor analysis capabilities without clearly warning that these features may require access to third-party social accounts, collection of engagement data, or processing of competitor/public profile data. In an agent skill context, this can lead users to grant broad permissions or initiate networked actions without understanding privacy, account security, rate-limit, or platform policy risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Auto-posting and account connection imply delegated authority to publish content on the user's behalf, which can affect brand reputation, leak sensitive content, or violate least-privilege expectations if users are not clearly warned. In a social-media automation skill, this is materially risky because the feature can directly trigger external side effects on third-party accounts.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Performance analytics and audience insights imply collection or processing of account metrics and potentially follower/audience data without explaining what is collected, retained, or shared. While lower impact than auto-posting, missing privacy disclosure can lead to uninformed consent and mishandling of social/account data.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Competitor analysis can involve scraping, monitoring, or profiling third-party accounts, which may implicate platform terms, privacy expectations, or compliance obligations if not bounded and disclosed. The danger is contextual rather than inherently malicious, but omission of usage constraints makes misuse easier.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal