ClawHub

KOL Outreach & Influencer Marketing — Discovery to ROI Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a marketing playbook with no executable malware, but it includes guidance that could enable deceptive community promotion and unsafe outreach automation.

Review before installing if you plan to let an agent act on this skill. Use it only for compliant, transparent influencer outreach: disclose sponsorships, follow platform and community rules, avoid mass unsolicited DMs, honor opt-outs, and protect any creator banking or contact data. Do not use the Reddit tactics that disguise advertising as organic discussion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly recommends outreach/DM automation tools such as XAutoDM, Phantombuster, and email outreach platforms, but provides no safeguards around consent, rate limiting, platform terms, data minimization, or account-ban/privacy risks. In a growth-marketing skill whose purpose is to scale influencer outreach, this omission can normalize bulk unsolicited messaging and unsafe handling of creator contact data, increasing the chance of privacy violations, spam abuse, or enforcement actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly recommends automated outreach tools such as XAutoDM, Phantombuster, and email/DM automation without any safeguards, consent requirements, rate limiting guidance, or warnings about platform terms, privacy, and account-ban risk. In a skill whose purpose is influencer outreach at scale, this omission can directly encourage spammy or policy-violating behavior and expose users to account suspension, reputational damage, and potential privacy/compliance issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README recommends DM automation tools for Twitter and LinkedIn without any warning about consent, privacy obligations, anti-spam rules, or platform enforcement risk. In a growth/outreach skill, this can encourage bulk unsolicited messaging and account scraping/automation behavior that may violate platform policies, trigger account bans, or create privacy/compliance exposure for users.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill explicitly presents Chinese as the operating language without offering a clear user-choice mechanism. This can override user expectations, reduce transparency, and cause unsafe misunderstandings if the user cannot reliably interpret instructions, links, or workflow details.

Ssd 4

Medium
Confidence
98% confidence
Finding
This section explicitly advises making promotional Reddit content appear as 'real sharing' and question-led discussion rather than advertising, which is deceptive manipulation of community trust and moderation systems. In an agent skill, this can operationalize stealth marketing or astroturfing at scale, exposing users to platform enforcement, reputational damage, and potentially legal/compliance issues around undisclosed sponsorships.

Ssd 4

Medium
Confidence
99% confidence
Finding
The guidance reinforces evasion by telling operators to present promotional posts as non-advertising and 'real' so they fit community norms and avoid rejection. Because this skill is a reusable outreach SOP, the context makes it more dangerous: it turns deceptive social-engineering tactics into repeatable workflow steps for distribution across Reddit and similar communities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal