ClawHub

Dataify Facebook Events

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify helper that creates Facebook event collection jobs, with no hidden persistence, destructive behavior, or unrelated data access found.

Install this only if you intend to use Dataify to collect Facebook event data. Review the selected mode, URLs, and file name before submission, because the skill can create authenticated Dataify jobs using a token you provide or a locally saved DATAIFY_API_TOKEN.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description is overly broad and includes many synonymous and troubleshooting phrases, increasing the chance the skill activates when the user did not specifically intend to send data to Dataify. In a skill that can consume stored tokens and make external requests, unintended invocation materially raises the risk of accidental disclosure or unwanted job submission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not prominently warn users that provided Facebook URLs and API tokens will be transmitted to the external Dataify service. This undermines informed consent and can cause users to reveal sensitive links or credentials without understanding the data flow to a third party.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables implicit invocation, allowing the agent to trigger this action without an explicit user request scoped tightly to a narrow set of phrases or conditions. Because this skill submits external Dataify tasks for Facebook event collection, broad automatic activation can cause unintended scraping/task creation, unexpected use of API credentials, and execution on ambiguous user input.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal