ClawHub

Social Insights

Security checks across malware telemetry and agentic risk

Overview

This social analytics skill does not show malware or exfiltration, but users should review it because it asks for multiple social-account credentials and leaves data/report handling unclear.

Install only if you are comfortable providing social-platform credentials to this skill. Prefer read-only, least-privilege tokens, avoid broad account app passwords when possible, and verify the package name before installing. Treat the current implementation as a demo unless additional reviewed files provide the live API, report export, and delivery behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares environment-variable configuration for multiple secrets but does not declare corresponding permissions or clearly bound its access scope. That mismatch reduces transparency for users and reviewers, making it easier for a skill to access sensitive credentials without explicit permission signaling.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill advertises auto-generated weekly/monthly reports and PNG/PDF output but does not state where reports are written, retained, or delivered. This can lead to unintended local file creation, overwriting existing files, or disclosure of analytics data through unclear storage and delivery behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill requests several API keys, tokens, and an app password for third-party social platforms but provides no privacy or security warning about how those credentials are used, stored, or transmitted. In a skill that aggregates social analytics across services, this materially increases the risk of unauthorized account access or secret leakage if the implementation is unsafe.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal