ClawHub

social-media-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent social-media backfill purpose, but it asks for high-impact credentials and performs broad scraping, downloads, local writes, and Feishu record updates with weak scoping and secret-handling guidance.

Review before installing. Use only with a dedicated low-privilege Feishu app and a non-sensitive test table first, avoid personal Xiaohongshu session cookies where possible, never paste cookies in shared terminals or logs, restrict table URLs to expected platforms, and run downloads in an isolated workspace with quotas and cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Scope Creep

High
Confidence
97% confidence
Finding
The manifest restricts network access to Feishu, but the workflow requires fetching content from Douyin, Weibo, Toutiao, Bilibili, Xiaohongshu, image CDNs, and possibly other media hosts. This discrepancy hides the true external communication surface, which undermines sandboxing, review, and user consent for outbound connections.

Scope Creep

Medium
Confidence
90% confidence
Finding
The documented use of yt-dlp, ffmpeg, Playwright, and download scripts implies local filesystem reads and writes for videos, images, frames, and temporary artifacts, but the manifest does not disclose that capability. Hidden file I/O increases the risk of uncontrolled storage use, persistence of downloaded content, and mismatch between expected and actual execution privileges.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The workflow explicitly shells out to multiple powerful local executables and automation tools against attacker-controlled URLs from a table. This materially expands the skill's capabilities from simple analysis into arbitrary network retrieval, browser automation, file creation, and media processing, increasing the attack surface for SSRF, unsafe downloader behavior, malicious media handling, and abuse of local resources.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The quickstart explicitly instructs users to extract full Xiaohongshu session cookies from browser developer tools and store them in environment variables or files. Session cookies are authentication secrets; exposing or mishandling them can enable account takeover, unauthorized access to private data, and actions performed as the user. In this skill context, cookie use may be functionally necessary for scraping protected content, but documenting raw session-token harvesting without strong safeguards materially increases credential-handling risk.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The README recommends storing Xiaohongshu cookies in an environment variable, which can expose authenticated session material to subprocesses, shell history, logs, crash reports, or other local users depending on the environment. Because these cookies appear to grant account-backed access, careless handling can lead to session theft or unintended disclosure of personal account data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script accepts authentication cookies from a CLI flag or environment variable and automatically attaches them to outbound requests. In this skill context, that exposes sensitive session credentials to local shell history, process inspection, logs, and accidental reuse, which is risky even if the purpose is to access content that may require login.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code accepts an arbitrary output path and writes fetched content there, giving callers a broad file-write primitive beyond the stated analysis purpose. In an agent context, this increases risk because untrusted or indirectly controlled inputs could overwrite local files, plant data in sensitive locations, or be abused as part of a larger attack chain.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The script emits a shell command that embeds untrusted input directly into a command string: both the user-supplied URL and output directory are interpolated into a yt-dlp command. If an operator copies and pastes this command, crafted input containing shell metacharacters or quote-breaking sequences could lead to command injection on the operator's machine.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to match ordinary user discussion about public-opinion or social-media analysis, which can cause accidental invocation of a skill that performs downloads and writebacks. In context, this is more dangerous because the skill has side effects beyond passive analysis, so unintentional activation could lead to network activity and data changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description mentions reading URLs, downloading media, analyzing content, and generating summaries, but it does not clearly warn that it will modify Feishu records and transmit processed results back to an external service. Users may reasonably interpret this as read-only analysis and be unaware of persistent changes or data movement.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation accepts APP_ID, APP_SECRET, and Xiaohongshu cookies without a clear privacy and handling warning, which can normalize passing sensitive credentials into a scraping workflow. In a skill that automates network requests across multiple services, unclear secret handling raises the chance of credential misuse, overcollection, or accidental exposure in logs and subprocesses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs full downloads of external media and article images, which causes outbound network access and local file creation based on untrusted URLs without any disclosure or consent boundary. In this context, the skill consumes URLs from a Feishu table, so a malicious or mistaken entry can trigger unexpected retrieval of large, sensitive, or hostile content and create operational and security risk on the host.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow sends title, text, platform, and visual-derived content into an LLM analysis step without any privacy notice, consent mechanism, or data-handling constraints. Because social-media records and extracted media may contain personal, confidential, or copyrighted material, undisclosed transmission to a model service can create privacy, compliance, and data-governance exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document tells users how to extract and persist full authenticated cookies but does not clearly warn that these values are equivalent to live login credentials. Without explicit handling guidance, users may paste them into logs, shells, shared terminals, or temporary files, creating a realistic path to credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to copy the full Cookie header from browser developer tools and pass it directly to scripts, but gives no warning that this may include sensitive session tokens and other authentication artifacts. If those values are exposed in shell history, process listings, CI logs, or shared documentation, an attacker could reuse them to access the user's authenticated session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Cookie credentials are ingested and then transmitted on HTTPS requests without any explicit safety warning or handling guidance. This can lead users to paste live session tokens into CLI commands or environment variables, increasing the chance of credential leakage through shell history, CI logs, debugging output, or unsafe operational practices.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accepts raw authentication cookies and writes them to a predictable file path under /tmp without setting restrictive permissions or ensuring cleanup on all exit paths. On multi-user systems or in shared execution environments, this can expose session credentials to other local users or leave sensitive tokens behind if the script exits early.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script downloads remote content and writes it directly to a user-specified path without checking whether the file already exists or whether the target path is safe. In automation or agent use, this can lead to unintended overwrites of important local files and turns remote URL processing into local state modification with little guardrail.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accepts cookies from CLI arguments or environment variables and automatically sends them in outbound requests, but provides no explicit notice about the sensitivity of those credentials or their privacy implications. In this skill context, the cookies may represent authenticated Xiaohongshu sessions, so accidental misuse, logging exposure, or reuse in automation can leak account access or personal data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script writes session cookies to a predictable path in /tmp without setting restrictive permissions or deleting the file after use. On multi-user systems or shared execution environments, this can expose authenticated session tokens to other local users or processes, enabling account hijacking or unauthorized access to private content.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal