ClawHub

Promptingco

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent purpose, but it asks agents to use a live account session cookie and repeatedly passes that cookie into general-purpose subagent prompts.

Install only if you trust the publisher and understand that the session token may let an agent act in your TPC workspace. Prefer a scoped API token if TPC offers one, confirm the correct TPC domain before use, and require explicit confirmation before approving, deleting, publishing, or batch-changing content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly injects the user's raw `TPC_SESSION_TOKEN` into prompts sent to a general-purpose subagent. That unnecessarily broadens credential exposure to another agent context that may log, transform, or disclose the token, enabling unauthorized access to the user's TPC account if mishandled.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These workflow examples repeatedly instruct that the session token be included in multiple subagent tasks. Repetition across common flows increases the likelihood of widespread secret propagation, making accidental disclosure or misuse more likely across analytics, content, and prompt-management operations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The common workflow section normalizes sending the user's session token into every general-purpose subagent prompt. Because these are reusable templates for routine operations, the design creates systemic credential exposure and expands the blast radius to any downstream agent behavior or logging path.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill asks the user to provide a live session cookie value, which is highly sensitive credential material, without an upfront warning about the risks of sharing or storing it. In this skill, that danger is amplified because the same token is later propagated into subagent prompts, compounding the chance of exposure.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill offers content creation and publishing flows, including publishing drafts to the live site, without a prominent warning that these operations modify stored or production content. That can lead to unintended destructive or externally visible actions, especially when combined with multi-step delegated workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly instructs operators to use a live session cookie value (`__Secure-better-auth.session_token`) as an API credential, but provides no warning about treating it as a secret, avoiding logging, or preferring scoped API tokens. Session cookies often grant broad authenticated access and are easy to mishandle in agent logs, screenshots, config files, or error traces, which can lead to account or workspace compromise.

Ssd 3

High
Confidence
99% confidence
Finding
This section directly instructs embedding the session token inside subagent prompt text, which is a textbook secret-delegation flaw. Prompt text is not an appropriate secret channel: it may be retained in memory, surfaced in traces, or reused by the subagent in unintended ways, leading to account compromise.

Ssd 3

High
Confidence
99% confidence
Finding
Multiple workflow templates replicate the same unsafe practice of passing the session token into subagent prompts. Because these are canonical examples for everyday usage, they institutionalize insecure secret handling and make future implementations likely to inherit the flaw.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal