ClawHub

Dataify Facebook Comment By Url

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify integration for submitting Facebook comment collection jobs, with no evidence of hidden exfiltration or destructive behavior.

Install only if you intend to use Dataify to submit Facebook comment collection jobs. Review the parameters before approving a run, understand that the Facebook URL and options will be sent to Dataify, and only save DATAIFY_API_TOKEN locally if you are comfortable with future runs reusing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly performs sensitive capabilities: it reads a locally saved API token from the environment and submits user-supplied Facebook URLs and parameters to an external network endpoint, yet no explicit permissions are declared. This creates a transparency and governance gap: users and hosting systems may not realize the skill can access local secrets and make outbound requests, increasing the chance of unintended data disclosure or policy bypass.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description contains broad catch-all phrasing such as 'or similar' and also claims invocation for troubleshooting and token/status handling, which can cause the skill to activate in contexts the user did not clearly intend. In a skill that can read saved tokens and submit external jobs, overbroad routing increases the risk of accidental invocation, unintended data transmission, and confusing privilege use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description instructs the agent to submit Facebook post URLs and comment-collection parameters to Dataify but does not prominently warn that this information is being sent to a third-party service. Without an explicit disclosure, users may unknowingly share URLs, scraping targets, or account-related workflow data with an external processor, which is a privacy and consent issue.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation with no visible trigger constraints or exclusion logic, so the agent may auto-select this action based on broad matching rather than explicit user confirmation. In this context, that can cause unintended submission of third-party Dataify scraping tasks against Facebook URLs, potentially triggering unauthorized data collection, unnecessary API usage, or privacy/compliance issues.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- If the user provides a token in the request, use it for this run.
- If no token is provided, first check whether `DATAIFY_API_TOKEN` is already saved locally in the environment.
- If `DATAIFY_API_TOKEN` is saved locally, use it without asking the user to re-enter the token.
- If no token is available locally, tell the user they need to provide a Dataify API TOKEN.
- If the user does not have an API TOKEN, tell them they can register or log in at `https://dataify.com/login` to get one.
- If the user already has an API TOKEN, tell them it is available in the top-right area of `https://dataify.com/dashboard/`.
Confidence
89% confidence
Finding
without asking

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal