ClawHub

UGC Matrix Growth — Scale Content with AI + Human Creators

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it gives concrete playbook guidance for mass social-account operations, ban avoidance, purchased engagement, and bought app reviews.

Install only if you intentionally want to review this as a risky growth-marketing reference. Do not use its ban-avoidance, account-farming, paid-engagement, bought-review, undisclosed AI persona, or content-laundering tactics; replace them with transparent creator partnerships, official platform tooling, disclosed AI/sponsored content, and policy-compliant review collection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section provides concrete account-farming guidance such as device-to-account ratios, agency-hosted device fleets, and SIM avoidance to reduce platform detection. In the context of a UGC operations skill, these instructions materially enable deceptive multi-account promotion and policy evasion rather than legitimate content marketing.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The staged 'warming' workflow using overseas IPs/VPNs, low-frequency posting, and behavior shaping is effectively an anti-detection playbook for building inauthentic accounts. Because the skill is framed as a growth SOP, this increases the likelihood of real-world misuse for covert amplification and ban evasion.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section explicitly recommends rewritten reposts of third-party content, use of multiple accounts for reposting, and purchased engagement to seed Reddit traction. That is a coordinated deceptive amplification tactic that can mislead users, violate platform rules, and facilitate spam or astroturfing at scale.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions combine repeated-post tolerance, multi-account Gmail setup, fixed clean VPN/IP usage, and automation tooling into a detailed playbook for scaling synthetic matrix accounts while minimizing detection. This is dangerous because it lowers the barrier to coordinated inauthentic behavior across major platforms.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Guidance on buying app reviews or ratings directly enables marketplace manipulation and violates app-store integrity rules. If followed, it can deceive users, distort rankings, and expose operators to app removal, account termination, and reputational damage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes operating 50-500 accounts, using AI face-swap tooling, and posting at platform-limited frequencies without any warning that these tactics may violate platform rules, impersonation policies, or disclosure requirements. In an agent skill, this is risky because the content can be operationalized directly by users or AI agents, normalizing evasive growth tactics without surfacing compliance or account-safety risks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The FAQ gives concrete anti-ban evasion advice such as using 'clean overseas IPs,' avoiding domestic SIM cards, warming accounts, and limiting posting frequency, which reads as guidance for circumventing platform detection rather than complying with platform policy. That is more dangerous in this skill context because the playbook is explicitly designed to scale many accounts, so the evasion guidance materially enables deceptive or policy-violating operations at scale.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly advises ban-evasion tactics such as using 'clean foreign IPs,' avoiding domestic SIMs, and warming accounts before posting, framed as operational guidance rather than policy-compliant risk mitigation. In a growth-marketing skill centered on scaling 50-500 accounts, this materially increases the likelihood of deceptive platform abuse, account farming, and ToS violations at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section operationalizes AI-generated UGC scaling and persona multiplication without any warning about deceptive synthetic media, impersonation risk, disclosure obligations, or platform policy violations. In the context of a growth playbook, these tactics can directly enable misleading content operations at scale, making the omission safety-relevant rather than merely informational.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README gives concrete anti-enforcement guidance such as using 'clean overseas IP,' avoiding domestic SIMs, and warming accounts before posting to prevent suspension. That is evasion-oriented operational advice which can help users bypass platform trust-and-safety controls and scale deceptive or policy-violating account networks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advises users on how to avoid platform enforcement, including using 'clean overseas IP', avoiding domestic SIM cards, and aging accounts before posting. In the context of a growth-automation skill for operating 50-500 accounts, this is not neutral operational advice; it facilitates evasion of platform trust-and-safety controls and can enable deceptive or policy-violating mass account activity.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains broad terms like "UGC," "creator program," and "content matrix" that are common in ordinary marketing conversations, so the skill may activate outside the user's intended scope. In this context, accidental invocation is more concerning because the skill promotes mass-account scaling, AI-generated content multiplication, and matrix-account tactics that can steer users into spammy or platform-evasion behavior without clear consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance to hide product names in subtitles/text and notes that AI-generated hooks are not easily recognized encourages synthetic promotional content to appear organic and undisclosed. In this skill context, that omission increases deception risk and can facilitate non-compliant advertising or impersonation-style content.

Missing User Warnings

High
Confidence
98% confidence
Finding
Advising users to avoid domestic SIMs, use 'clean' overseas IPs/VPNs, and rely on overseas friends to warm accounts is explicit evasion guidance with no compliance framing. That makes the skill materially more dangerous because it operationalizes covert account creation and geolocation masking for growth abuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The Reddit section recommends rewritten reposts and purchased engagement without any discussion of deception, moderation, or enforcement risk. That is dangerous because it normalizes manipulation of community trust and provides actionable tactics for astroturfing.

Missing User Warnings

High
Confidence
99% confidence
Finding
Discussing paid reviews without warning about app-store policy violations invites users to engage in fraudulent ranking manipulation. In an app-growth skill, this is especially dangerous because it is presented as an optimization tactic rather than prohibited conduct.

Ssd 4

Medium
Confidence
96% confidence
Finding
Taken together, the narrative builds a covert workflow for creating, warming, and scaling accounts in ways intended to look authentic and avoid detection. Even if written as growth operations advice, the sequence has clear dual-use abuse potential and is outside the legitimate needs of a standard UGC playbook.

Ssd 4

Medium
Confidence
93% confidence
Finding
This section describes structuring AI promotional videos so they appear less fake, conceal branding, and are harder for platforms or viewers to identify as synthetic ads. That creates a deceptive-content risk, particularly because the skill is expressly about scaling low-cost distribution across social platforms.

Ssd 4

Medium
Confidence
99% confidence
Finding
The Reddit cold-start sequence combines content laundering, multi-account reposting, and bought engagement into a coordinated amplification strategy that masquerades as organic community interest. This is a classic astroturfing pattern and is especially risky in a marketing skill because it is likely to be directly operationalized.

Ssd 4

Medium
Confidence
98% confidence
Finding
The AI UGC operations section lays out layered anti-detection steps for synthetic mass-posting: content structures designed to avoid AI labeling, account fan-out, fixed IP hygiene, and controlled posting rates after prior bans. This substantially enables coordinated inauthentic behavior and repeated policy evasion across platforms.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal