ClawHub

Personal Brand Builder

Security checks across malware telemetry and agentic risk

Overview

This brand automation skill is review-worthy because it requests social account credentials and describes autonomous posting and recurring Telegram notifications without clear controls, though the artifacts do not show theft or destructive behavior.

Install only if you want an agent to help manage a public personal brand and you are comfortable reviewing social-account automation carefully. Start in manual mode without Twitter/X credentials, leave Telegram variables unset unless you want summaries sent to Telegram, review any proof files for financial or personal data, and do not allow autonomous posting until you have a clear approval process for every public action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'req' from os.environ.get (line 73, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
f"https://api.telegram.org/bot{token}/sendMessage",
            data=payload.encode(), headers={"Content-Type": "application/json"}
        )
        with urllib.request.urlopen(req, timeout=10):
            pass
        print(f"  ✅ Telegram notification sent")
    except Exception as e:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=10):

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill advertises broad multi-platform brand management, but the documented behavior includes Telegram notifications and local logging that are not clearly disclosed in the user-facing description, while actual platform automation is inconsistently specified. This mismatch can mislead operators about what data leaves the workspace and what actions are really automated, increasing the risk of unintended disclosure or unsafe deployment assumptions.

Scope Creep

Medium
Confidence
88% confidence
Finding
The documentation states the skill writes screenshots, testimonials, revenue artifacts, and other proof materials into /workspace/brand/proof/, but that path is missing from declared write permissions. In a permission-enforced environment this causes unauthorized-write attempts or permission drift; in a weaker environment it undermines least-privilege review because sensitive proof artifacts are handled outside the declared boundary.

Scope Creep

Low
Confidence
80% confidence
Finding
The skill says it logs errors to ERRORS.md, but that file is not included in declared write permissions. Although lower severity, undocumented log destinations create audit blind spots and can cause writes to unexpected locations, especially if logs contain API failures, account identifiers, or operational details.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Telegram messaging is not clearly necessary for the declared functionality and creates an unnecessary external communication path. In agent environments, unjustified outbound channels increase the risk of silent data leakage and operator surprise, especially when they are not prominently disclosed.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The status command reads presence of TELEGRAM and TWITTER credentials even though this file does not use Twitter automation at all. While it does not print secret values, probing unrelated credentials expands the skill's visibility into the environment beyond its demonstrated need and can facilitate environment reconnaissance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports autonomous posting and Telegram notifications, which can transmit generated content, activity summaries, and operational metadata to external services without a strong up-front user warning. In this context, the skill manages brand content, networking, performance logs, and proof artifacts, so undisclosed outbound transmission can expose sensitive business, financial, or reputational information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill transmits brand and activity data to Telegram without any prominent warning in command help or docstrings, so users may invoke routine commands unaware that data leaves the local environment. Hidden or under-disclosed exfiltration paths are more dangerous in autonomous-agent tooling because they can operate during normal workflows.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal