ClawHub

Postproxy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PostProxy helper, but it gives an agent broad Bash-based authority to upload local media and publish, schedule, or delete social posts without built-in confirmation guidance.

Install only if you intend to let an agent use your PostProxy API key for connected social accounts. Before allowing commands, verify the exact post body, target profiles, media file paths, schedule time, draft/post ID, and whether the action will publish publicly or delete content. Prefer drafts and narrow API keys where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill enables state-changing operations against external social-media accounts, including creating, publishing, scheduling, and deleting posts, but it does not clearly warn that using the skill can immediately affect public-facing accounts. In an agent setting, that omission is dangerous because a user may not realize the requested action has irreversible or externally visible consequences.

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Post (JSON with media URLs)
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Post (File Upload)
Use multipart form data to upload local files:
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -F "post[body]=Check out this image!" \
  -F "profiles[]=instagram" \
Confidence
95% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Draft
Add `post[draft]=true` to create without publishing:
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -F "post[body]=Draft post content" \
  -F "profiles[]=twitter" \
Confidence
89% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Publish Draft
```bash
curl -X POST "https://api.postproxy.dev/api/posts/{id}/publish" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
92% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Schedule Post
Add `scheduled_at` to post object:
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Delete Post
```bash
curl -X DELETE "https://api.postproxy.dev/api/posts/{id}" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
88% confidence
Finding
https://api.postproxy.dev/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal