openclaw-threadsctl

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill helps publish and manage Threads posts through a local CLI, with the sensitive posting and account-connection behavior disclosed and aligned with its purpose.

Install only if you trust the local threadsctl CLI and the deployed Threads service it talks to. Confirm the target account and content before publishing, protect THREADS_SERVICE_API_KEY, and prefer draft-first workflows unless you are ready for the agent to publish publicly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This skill enables direct publishing, draft approval, and account connection to an external social platform, but it does not explicitly warn that content and media will be transmitted off-host to Threads and may be difficult or impossible to fully retract once published. In an agent setting, that omission increases the chance of unintended data disclosure, accidental posting from the wrong account, or irreversible public publication without adequate user awareness.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal