ClawHub

Dataify Facebook Post By Url

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: submit Facebook post URL collection jobs to Dataify using a Dataify API token.

Install this only if you are comfortable sending Facebook post URLs and task metadata to Dataify. Use a dedicated Dataify API TOKEN where possible, avoid submitting sensitive or private URLs, and review the parameter table before allowing a task to be created.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation scope is broad enough to trigger on generic scraping, collection, token configuration, and troubleshooting language, which can cause the skill to activate in situations the user did not clearly intend. Over-broad triggering increases the chance of accidental external submissions or use of saved credentials in unrelated contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description says it will submit Facebook post URLs through Dataify, but it does not clearly warn that user-provided URLs and possibly related metadata will be transmitted to a third-party service. This is a privacy and informed-consent issue, especially because social media URLs can reveal sensitive interests, identities, or investigation targets.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without any visible trigger constraints, which can cause the agent to activate this capability based on broad or ambiguous user phrasing. In a data-collection skill that submits external tasks and may rely on API credentials, unintended activation can lead to unauthorized scraping requests, accidental use of sensitive tokens, or actions the user did not clearly intend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal