ClawHub

OSINT Social Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed public OSINT username lookup skill, with privacy and installation cautions but no evidence of hidden collection, persistence, credential use, or destructive behavior.

Install only if you are comfortable sending queried usernames to many public websites where requests may be logged or rate-limited. Use it for lawful, consent-aware public OSINT, confirm intent before scanning someone else's handle, and prefer installing social-analyzer in an isolated Python environment instead of modifying system packages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises very broad trigger phrases such as "look up [name]" and "check if [name] exists on social media," which can overlap with ordinary conversational requests and cause the OSINT skill to be invoked when the user did not explicitly request cross-platform investigation. In a privacy-sensitive skill that aggregates public profile data across 1000+ services, unintended activation increases the risk of over-collection, surprise data exposure, and performing intrusive lookups without clear user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger examples and surrounding description use broad, everyday phrases like 'look up [name]' and 'check if [name] exists on social media,' which can cause the skill to activate for ambiguous requests without clear user intent or safety gating. In an OSINT skill, overbroad activation is more dangerous because it can initiate large-scale identity lookups, cross-platform profiling, and privacy-invasive investigation workflows from casual language.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger text is overly expansive, including phrases like 'look up [name]' and instructions to 'always use this skill' for username investigation requests. In context, this can cause the agent to invoke an OSINT-scanning workflow for ambiguous or ordinary lookup requests, leading to unnecessary collection of public profile data and unintended privacy-sensitive investigations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal