ClawHub

Social Ops

Security checks across malware telemetry and agentic risk

Overview

This is a coherent social-media automation skill, but it can create recurring jobs that post, reply, use account credentials, and read local reference files with limited approval controls.

Install only if you intentionally want automated social-media operations. Before enabling crons, run the installer with --dry-run, inspect each schedule and prompt, confirm which account credentials are used, keep SOCIAL_OPS_DATA_DIR isolated, keep Local-File-References small and explicit, and add your own manual approval step for posts, replies, subscriptions, and other account-facing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README tells the agent to 'figure out how to install the crons' and bootstrap scheduling, which expands the skill from social-content operations into host-level persistence and task orchestration. That mismatch is dangerous because it encourages system modification outside the user-visible role boundaries, increasing the chance of unintended persistence, unauthorized automation, or abuse if the skill is invoked in a higher-privilege environment.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
Claiming each role has 'bounded authority' while also allowing the skill to install cron jobs is a privilege-boundary contradiction. Users may trust the role model and underestimate that the skill can establish recurring execution on the host, which can persist automated actions beyond the immediate session and complicate auditing.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The README introduces host-level cron installation that is not necessary for a social-media operations skill's core purpose. In context, this makes the skill more dangerous because social automation combined with background scheduling can create unattended posting, replying, or data collection behavior that persists without continuous user awareness.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The Content Specialist is explicitly allowed to read local files/directories referenced by `Local-File-References.md`, which creates a path for the skill to ingest arbitrary host data outside the stated social-media workflow. Even if described as human-curated, this expands the trust boundary and can expose unrelated local documents, secrets, or proprietary material to the agent without strong scoping controls.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The Writer role is documented to read local files/directories from `Local-File-References.md`, giving a content-generation role access to arbitrary local context not required for normal posting operations. This is risky because writer-style roles often summarize and reproduce source material, increasing the chance of accidental data leakage into generated posts, logs, or memory artifacts.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The shared artifact map normalizes `Local-File-References.md` as an input channel for Content Specialist and Writer, but the skill's declared purpose is social-media operations, not general local data ingestion. That mismatch makes the skill more dangerous because it institutionalizes a mechanism for importing arbitrary workstation or repository content into agent workflows, where it may be propagated into outputs or persistent logs.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The role description says the Content Specialist does not post or engage, yet it is instructed to ensure subscriptions and modify real submolt membership state. That creates a scope mismatch where a supposedly strategy-only role can perform live platform-affecting actions, increasing the chance of unintended account changes without explicit operator approval.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The file repeatedly frames the role as non-executing, but later gives it authority over subscription and lifecycle transitions. This contradiction is dangerous because agent systems often rely on role boundaries for safety; a hidden exception can be used to justify unauthorized state changes to audience targeting, distribution, or account configuration.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The role is described as reactive only, but later authorizes proactive engagement in Scout-sourced threads. This contradiction weakens operator and agent guardrails, making it easier for the role to drift into unsolicited outreach or engagement beyond its intended scope, which can create reputational and policy risk in a social-operations context.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The anti-overreach section prohibits entering unrelated threads, but the Scout Awareness section creates an exception for insertion into externally identified threads without clearly defining what makes them sufficiently related. An ambiguous exception like this can be exploited by upstream routing or broad interpretation, leading to scope creep, spammy behavior, or unsafe engagement in conversations the agent should avoid.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cron setup guidance lacks clear warnings that automated execution may post, reply, or otherwise act on linked social accounts without per-action review. That is risky because scheduled autonomous behavior can cause reputational harm, policy violations, spam-like activity, or accidental misuse of credentials if the configuration is wrong or the environment changes.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation guidance says to use this skill for essentially any social ops task, which is broad enough to trigger the skill in many generic contexts. Because the skill includes references to posting, responding, and automation setup, overly broad activation can cause unnecessary access to sensitive workflows or accidental execution of higher-risk instructions in situations that only needed narrower functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script persistently creates or updates scheduled cron jobs in OpenClaw, but the header and flow do not prominently warn the operator that running it will modify long-lived automation state. In a social-ops skill, that is more sensitive because it schedules autonomous posting, replying, scouting, and analysis actions that may continue running after a one-time install, increasing the risk of unintended automated external actions if invoked casually or by a confused user.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The instructions direct the agent to create, refine, retire, and update files in the workspace without a user-facing warning that content will be modified. In agentic environments this can lead to silent alteration of tracked strategy files, causing configuration drift or unauthorized edits that the operator did not expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These instructions authorize direct edits to submolt tracking records for promotion and retirement, but provide no warning, confirmation, or protection against unintended changes. Because these records govern operational targeting and lifecycle state, silent modification can materially alter downstream behavior and may be hard to detect if the agent logs only concise summaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This role explicitly instructs the agent to publish content to an external platform and move local files after success, but it does not require an explicit user confirmation or warning at execution time before those side effects occur. That creates a real risk of unintended public posting and unintended local state changes if the skill is invoked in the wrong context, with stale content, or by an agent acting too autonomously.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The role explicitly processes DMs and stores summaries of them in logs, but the skill text provides no explicit privacy notice, consent boundary, retention limit, or handling standard for potentially sensitive personal information. In a social-ops skill, private messages are likely to contain personal or confidential content, so even summarized logging increases privacy, compliance, and data-handling risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill instructs the agent to write a log file in the workspace without warning the user that execution will modify local state. In an agent setting, undisclosed file writes reduce transparency and can lead to unintended persistence, especially when runs are expected to be observational only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section directs the agent to modify an existing tracking file, Candidates.md, without clearly disclosing that it will alter a persistent shared artifact. Because this file appears to influence future routing and curation decisions, silent edits can affect downstream agent behavior and create unauthorized or misleading backlog-like entries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Writer role explicitly instructs the agent to create new files in the Todo directory and append to memory and log files, but it does not require any user confirmation or prominently warn that the skill will modify workspace content. In an agent setting, silent write operations can cause unintended state changes, content pollution, or abuse if the workspace path is misconfigured or attacker-influenced.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal