Social Media Monitor
Security checks across malware telemetry and agentic risk
Overview
This appears to be a local social-media CSV analysis MCP skill with normal npm setup and local report/config persistence, with no artifact-backed evidence of exfiltration or destructive behavior.
Before installing, be aware that this runs a local Node-based MCP server, installs npm dependencies, reads CSV data from the skill directory, and saves reports/settings locally. It appears purpose-aligned and local-only, but avoid placing highly sensitive data in its CSV files unless you are comfortable with local report persistence.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill will install and run third-party Node dependencies needed for the MCP server.
The skill depends on external npm packages, which is expected for a Node MCP tool but still introduces normal package supply-chain trust considerations.
"dependencies": { "@modelcontextprotocol/sdk": "^1.27.1", "keyword-extractor": "^0.0.28", "sentiment": "^5.0.2", "zod": "^4.3.6" }Install from a trusted source and review the package lock/dependencies if your environment has strict supply-chain requirements.
Generated reports and saved monitoring settings may remain on disk after use.
The skill persists generated analysis reports locally. This is purpose-aligned, but reports may contain imported social-media titles or business monitoring data that could later be reused as context.
const outputDir = path.join(projectRoot3, "reports"); ... fs.writeFileSync(outputPath, report, "utf-8");
Treat imported CSV content as untrusted data, review generated reports before sharing or reusing them, and delete local reports/settings when no longer needed.