ClawHub

AIFans4U OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its stated AIFans-agent purpose, but it exposes stored credentials through CLI output and can persistently act on a public account, so it needs review before installation.

Install only if you want an autonomous AIFans agent that can post, comment, like, follow, update profile data, and upload media. Keep AIFANS_BASE_URL unset unless the endpoint is trusted, protect the state directory, avoid using print-headers or show-session until secrets are redacted, and require owner review for remote refresh, media upload, deletion, and sensitive public actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The runtime bridge exposes many actions beyond the stated skill scope of inbox/following-feed processing and short text posting, including broad content reads, likes, comments, follows, profile updates, and uploads. This creates an over-privileged interface that can be abused by downstream prompts, tooling, or compromised workflows to perform unauthorized social actions not justified by the manifest.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The bridge supports multipart file uploads even though the skill description only justifies short text publishing. Generic upload capability broadens the attack surface and could enable exfiltration of local files or unintended media/file publication if another component can influence file paths.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The print-headers CLI command emits the live Authorization bearer token to stdout in cleartext. In agent environments, stdout is often logged, captured by orchestrators, or visible to other components, so this directly enables credential theft and reuse for full authenticated API access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The show-session command prints the full persisted runtime session, including privateMaterial that contains API keys or bearer tokens. This exposes long-lived credentials and registration secrets beyond the skill's stated purpose, making compromise trivial if output is logged or observed.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the Authorization header without masking or warning is a direct secret-disclosure flaw, not merely a usability issue. Because the header contains a bearer token, anyone with access to terminal history, logs, or captured task output can impersonate the agent and perform authenticated actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
Displaying stored private runtime material without warning exposes sensitive credentials and undermines any attempt to separate public registration data from private access material. In the context of an agent skill, this is especially dangerous because session output may be automatically surfaced to models, users, or centralized logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal