ClawHub

Social Hub

Security checks across malware telemetry and agentic risk

Overview

This skill describes a local matchmaking assistant but also bundles under-disclosed Claw Club social-bot scripts that use credentials and can post or reply through an external API.

Install only if you intentionally want both the matchmaking assistant and the Claw Club social-bot tooling. Before trusting it with personal conversations, ask the publisher to clearly document or remove the Claw Club endpoints, credential storage, bot registration, posting/reply authority, embedding provider, consent flow, and profile retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script’s functionality is materially inconsistent with the declared skill purpose. Instead of handling local WeCom conversations, profile construction, and local vector-db management, it accesses an unrelated external 'Claw Club' social API and manages activity there. This mismatch is dangerous because users or operators may grant trust, permissions, or secrets under false assumptions about what the skill does.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script’s actual behavior is unrelated to the declared personal-agent purpose: instead of local WeCom-based profile collection and matching, it authenticates to and interacts with an external 'Claw Club' social API. This kind of capability mismatch is dangerous because it can conceal unauthorized outbound communications and credential use under a benign-looking skill description, especially on a user’s local device.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads a third-party API key from a local credentials file and uses it to contact an unrelated external service, which is unjustified by the skill’s stated function. In the context of a local personal agent with access to user data and device storage, undisclosed access to local secrets and off-scope network services materially increases the risk of covert data use or unauthorized account actions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file comments explicitly describe automated engagement with 'Claw Club,' directly contradicting the official skill description. This is a strong indicator that the skill is masquerading as one function while implementing another, which can be used to smuggle unauthorized behavior past review and make risky capabilities appear legitimate.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script is materially inconsistent with the declared personal-agent purpose: instead of handling local user profiling and enterprise messaging workflows, it retrieves an external social feed from a third-party service. In an agent environment, such capability drift is dangerous because it expands the trust boundary, introduces unauthorized network behavior, and may enable covert data access or repurposing of the agent for unrelated external content flows.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code adds a capability to query third-party club-feed data without any clear relationship to the stated skill responsibilities. Even if no local secrets are exfiltrated here, unjustified external access increases attack surface, can violate least-privilege expectations, and may be used as a staging point for later data movement or policy evasion.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script sends arbitrary user-supplied content to an unrelated external service (api.vrtlly.us / Claw Club), which is inconsistent with the declared purpose of a local personal-agent handling enterprise WeChat interactions and local profiling. In this skill context, unexplained outbound posting functionality creates a strong risk of covert data exfiltration or unauthorized third-party communication.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script retrieves credentials for an unrelated third-party service from environment variables and a local credentials file, then uses them for network operations outside the stated skill scope. Accessing local secrets for an undeclared service is dangerous because it expands the agent’s effective privilege and can enable unauthorized use of existing credentials on the user’s device.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script performs remote bot registration against an external service and provisions credentials, which is materially unrelated to the declared local personal-agent matchmaking role. In this context, hidden or unjustified external account creation expands trust boundaries, may exfiltrate operator-supplied metadata to a third party, and indicates capability drift that could facilitate unauthorized platform enrollment.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script writes third-party API credentials to a local config file even though credential storage is not described by the skill's stated purpose. Undocumented secret persistence increases the chance of credential exposure through local compromise, backups, multi-user systems, or accidental inclusion in support bundles and tooling.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code provisions and manages credentials for an external bot platform unrelated to the declared matchmaking assistant workflow. Because the skill is supposed to run locally on a user's device, adding external credential lifecycle management introduces unnecessary attack surface and could enable unauthorized service access or data sharing beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script both displays the returned API key on stdout and persists it locally, despite no justified need in the personal-agent description. Exposing secrets in terminal output and files increases leakage risk through shell history capture, screen recording, logs, clipboard use, shoulder surfing, and local file disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script's behavior is materially inconsistent with the declared personal-agent purpose: instead of handling local enterprise WeChat interactions and profile management, it authenticates to and posts replies on an unrelated third-party service. In the context of a local personal agent, this represents an unjustified outbound action path that could be abused for covert data exfiltration, spam, or unauthorized account activity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script accepts or loads external service credentials and uses them to perform authenticated actions against a third-party API without any clear justification tied to the skill's stated function. In a personal-agent running on user devices, this creates unnecessary authority that can be leveraged to impersonate the user on another platform or transmit user-derived content outside the expected trust boundary.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger conditions are broad: inbound user messages, scheduled initiation times, and group notifications can all activate the skill without clear guardrails. In a system that stores sensitive profile data and can message users or groups, ambiguous triggering increases the chance of unintended collection, sharing, or user contact at inappropriate times.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill analyzes conversations, extracts personal attributes, stores them in a local vector database, generates embeddings, and shares tag summaries to an internal group, but it does not require an explicit user-facing notice or informed consent. This is dangerous because users may disclose sensitive information under the assumption of ordinary chat, while the system is actually profiling them and redistributing derived data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script silently loads an API key from a local credentials file without any user-facing notice or consent flow. Even if intended for convenience, this undermines transparency and can cause users to unknowingly authorize actions against an external account or service from their local device.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently sources an API key from the environment or a local config file and transmits it in an HTTP header without any user-facing disclosure or consent flow. In a local personal-agent context, hidden credential handling is especially risky because users may not realize the skill is leveraging preexisting secrets on their machine to contact external services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes credentials to disk automatically without prior warning, confirmation, or permission hardening. Silent secret persistence is dangerous because users may assume the key is ephemeral, while an attacker or another local user could later recover the stored credential from the predictable config path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits user-supplied message content in an authenticated POST request with no confirmation, preview, or warning beyond basic CLI usage. In this skill context, that makes unintended disclosure or unauthorized posting more dangerous because the agent is expected to process sensitive personal-profile and conversation data locally, not silently send content to unrelated external services.

Ssd 4

Medium
Confidence
92% confidence
Finding
The skill explicitly uses trust-building conversation tactics to progressively elicit required personal fields within a short time window. Even if framed as product onboarding, this pattern is risky because it encourages covert social engineering-style data collection rather than transparent, user-directed consent-based input.

Ssd 3

High
Confidence
98% confidence
Finding
The instructions tell the agent to silently record user-disclosed personal information during natural chat and then send derived profile summaries to an internal group. In this context, the skill handles sensitive relationship, career, and interest data, so silent collection and downstream sharing materially increases privacy harm, profiling risk, and the chance of unauthorized secondary use.

External Transmission

Medium
Category
Data Exfiltration
Content
# Build URL
if [ -n "$CLUB" ]; then
  URL="https://api.vrtlly.us/api/hub/feed?club=$CLUB&limit=$LIMIT"
else
  URL="https://api.vrtlly.us/api/hub/feed?limit=$LIMIT"
fi
Confidence
88% confidence
Finding
https://api.vrtlly.us/

External Transmission

Medium
Category
Data Exfiltration
Content
if [ -n "$CLUB" ]; then
  URL="https://api.vrtlly.us/api/hub/feed?club=$CLUB&limit=$LIMIT"
else
  URL="https://api.vrtlly.us/api/hub/feed?limit=$LIMIT"
fi

RESPONSE=$(curl -s "$URL")
Confidence
88% confidence
Finding
https://api.vrtlly.us/

External Transmission

Medium
Category
Data Exfiltration
Content
# Escape message for JSON
MESSAGE_ESCAPED=$(echo "$MESSAGE" | jq -Rs '.')

RESPONSE=$(curl -s -X POST "https://api.vrtlly.us/api/hub/posts" \
  -H "Content-Type: application/json" \
  -H "x-api-key: $API_KEY" \
  -d "{\"message\": $MESSAGE_ESCAPED, \"clubSlug\": \"$CLUB\"}")
Confidence
95% confidence
Finding
curl -s -X POST "https://api.vrtlly.us/api/hub/posts" \ -H "Content-Type: application/json" \ -H "x-api-key: $API_KEY" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal