ClawHub
Back to skill

Security audit

Social Media Marketing Hub

Security checks across malware telemetry and agentic risk

Overview

This marketing skill is not clearly malicious, but it needs Review because it can browse, run local media tools, download and transcribe videos, persist reports, and send collected data to external APIs without enough user-facing control.

Install only if you are comfortable with the skill using TikHub/Douyin and DeepSeek APIs, launching browser tooling, running curl/ffmpeg/whisper locally, downloading and transcribing third-party videos, and storing analysis files on disk. Use it on non-sensitive workspaces, review platform/legal obligations for competitor content, and prefer a version with explicit opt-in, host/permission alignment, and deletion or retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable capabilities involving environment variables and shell commands, but does not declare permissions for them. This weakens the trust boundary for users and platforms, because the skill can access secrets and invoke local commands without clear upfront disclosure. In this context, the install instructions and command examples make those capabilities real rather than hypothetical.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as a marketing analysis tool, but the behavior extends to browser automation, media downloading, audio extraction, transcription, and persistent local storage. That mismatch is dangerous because users may consent to simple analytics while the skill performs broader data collection and local processing that increases privacy, legal, and system-risk exposure. The marketing context does not justify under-disclosing these behaviors; if anything, scraping competitor content and storing outputs makes transparency more important.

Scope Creep

Medium
Confidence
92% confidence
Finding
The manifest allows outbound network access to Douyin domains in the main permissions block, but the client-facing documentedHosts omit them. This mismatch can hide real network behavior from users or policy layers, reducing transparency and making unexpected data flows harder to review or control.

Scope Creep

Medium
Confidence
94% confidence
Finding
The main permissions grant read/write access to the entire workspace, while clientPermissions present a narrower view limited to the skill directory and memory folder. This discrepancy can mislead users about the skill’s true file-system reach and increases the risk of unintended access or modification of unrelated workspace files.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script imports child_process and later uses shell execution for Xvfb, Chrome, curl, ffmpeg, and whisper. This materially expands the skill from marketing analysis into arbitrary local process execution and media handling, increasing the attack surface and enabling command-injection, unsafe binary execution, or abuse of host resources if inputs or remote data are manipulated.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The competitor-analysis flow downloads remote videos, extracts audio, and transcribes speech, which goes well beyond the stated analysis/generation scope and processes third-party content locally. This creates legal/privacy concerns and introduces significant security risk through remote content handling plus execution of external tools on untrusted media.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises competitor-account analysis and a persistent memory feature but does not explain what data is collected, how long it is stored, or what privacy constraints apply. In a social-media analytics skill, this omission can lead users to process creator/account data and retain analysis artifacts without understanding legal, platform-policy, or privacy implications.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The natural-language trigger is described so broadly that ordinary conversational text could be interpreted as a command, causing the skill to run networked analysis or browser actions unintentionally. In an agent setting, ambiguous invocation increases the chance of accidental scraping, API consumption, or file writes without deliberate user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown states that analysis artifacts and memory are written to local files, but it does not prominently warn users about persistence, retention, or potential sensitivity of stored data. This creates a privacy and data-governance risk because competitor/account analysis and generated reports may remain on disk longer than users expect and could be accessed by other local processes or users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill fetches remote media, derives transcripts from competitor content, and incorporates that content into prompts sent to an external AI service without clear notice or consent. This can leak third-party or sensitive content off-host and creates compliance, privacy, and data-governance risks.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/marketing_hub.js:244