ClawHub

A skill to help you plan, script, record, edit and publish social media videos

Security checks across malware telemetry and agentic risk

Overview

This video workflow skill is not clearly malicious, but it asks for a reusable account token and uses background reminder jobs that can act and message later.

Review before installing. Only use this skill if you trust the publisher and are comfortable giving it a Humeo PAT, storing that token locally, and enabling background reminder jobs. Prefer a revocable, least-privilege token if available, inspect OpenClaw cron entries after setup, verify the notification channel, and rotate or delete the token when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat reads a personal token from a local file and uses it for authenticated remote API access on a periodic background cycle. Even if intended for calendar reminders, this expands the skill from user-driven video assistance into unattended privileged operations using stored credentials, which creates a real secret-handling and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The heartbeat autonomously manages one-shot cron jobs that later act on the user's behalf and deliver reminders across channels. That is a meaningful capability expansion beyond a normal video copilot and creates persistent agent behavior that can continue outside the user's immediate awareness or control.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill materially expands from video-assistance into persistent reminder automation, cron creation, token handling, and channel orchestration. That scope expansion increases the blast radius from a content tool to an automation tool that can alter user environment state and continue acting after the initial interaction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs reading ~/.openclaw/openclaw.json and modifying ~/.openclaw/workspace/USER.md to infer channels and persist notification preferences. Reading and writing broader workspace config exceeds typical video-task boundaries and can expose or alter unrelated user settings.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs creation, deletion, and cleanup of cron jobs, including removing cron IDs returned from API responses. Cron management introduces persistent background execution and, if mishandled, can disrupt other automations or create unintended recurring actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions access a personal credential file and make authenticated API calls without prominently disclosing that behavior to the user. Hidden secret use is dangerous because users may not realize the skill is reading local sensitive data and performing remote actions on a recurring basis.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The scheduled payload sends messages into multiple user channels and updates remote calendar state, yet those side effects are not clearly disclosed in the skill description. Undisclosed outbound messaging plus server-side state changes can surprise users, cause unwanted communications, and make abuse harder to detect.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance says to use this skill whenever a user wants to plan, record, improve, or publish any video, which is broad enough to capture many ordinary requests. Over-broad auto-selection increases the chance the skill is invoked in contexts where its setup, token, file, and automation behaviors are unnecessary and risky.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to ask the user to paste a full personal access token into chat, without a strong warning or safer collection path. Chat is a poor secret-entry channel because credentials may be logged, retained in transcripts, exposed to other tools, or mishandled by downstream components.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to ask users to paste a personal access token directly into chat and then persist it locally. Asking for secrets in chat is dangerous because chat logs may be retained, exposed to operators, or leaked through downstream tooling, turning a reusable bearer token into an easily compromised credential.

Ssd 3

High
Confidence
99% confidence
Finding
The skill asks for the full PAT in chat and then persists it locally in a reusable file. This creates both immediate secret exposure in conversation history and longer-term credential risk from local plaintext storage, even with restrictive file permissions.

Ssd 3

High
Confidence
96% confidence
Finding
The embedded cron instructions direct an agent to read a stored PAT and use it to access calendar data and send messages automatically. This enables unattended use of a long-lived credential by background tasks, magnifying the impact of prompt injection, cron misuse, or token theft.

Ssd 3

High
Confidence
96% confidence
Finding
The weekly summary cron similarly instructs a background agent to read a stored PAT, fetch private calendar history, and message a compiled review. This creates ongoing automated access to sensitive user activity data through an LLM-directed workflow, increasing privacy and credential exposure risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal