ClawHub

Brand Marketing Workflow

Security checks across malware telemetry and agentic risk

Overview

The package is advertised as documentation-only, but it ships runnable marketing automation code that can use local OpenClaw configuration, external services, and local cache files.

Treat this as a runnable automation skill, not a passive reference document. Install only if you are comfortable with it reading your OpenClaw config, using configured LLM/search services, fetching public competitor data, and leaving local cache/evidence files; otherwise ask the publisher to publish a true documentation-only package or clearly declare the operational behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The manifest presents the skill as documentation-only, yet the file discloses an executable entrypoint and runtime components with shell, network, file read, and file write capabilities. Undeclared powerful capabilities create a trust and review gap: operators may approve or deploy the skill under a low-risk assumption while it can actually execute workflows and access local/configured resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a strong description-behavior mismatch: the skill claims to be a structural, non-implementation reference, but the documented behavior includes executing workflows, making network calls, reading local configuration and credentials, and handling sensitive authorization-related flows. Such misrepresentation can bypass human scrutiny, policy gating, and user consent because reviewers may treat it as inert documentation when it is operational software.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Claiming the artifact is documentation-only while exposing an executable bootstrap path and concrete runtime scripts is materially misleading. This increases risk because users and reviewers may rely on the safety representation and overlook that the skill can actually run orchestration, fetch external data, and process outputs.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file explicitly says it contains no executable code, then later documents active bootstrap and runtime execution. Internal contradictions about executability are dangerous because they undermine informed consent and can be used to mask operational behavior behind a benign-looking wrapper.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file is inconsistent with the stated skill purpose of providing only structural documentation: it contains concrete optimization guidance, execution instructions, target files, and change plans for executable workflow components. In an agent-skill context, that broadens the skill from passive documentation into operational modification guidance, which can cause unintended code changes or enable prompt-driven workflow tampering if consumed automatically.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file’s behavior conflicts with the declared skill scope: instead of only providing structural documentation, it executes demos, invokes the workflow, and runs integration tests. That mismatch is dangerous because a caller expecting non-executing documentation may trigger unintended code execution, external calls, or side effects during review or audit workflows.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
This section runs live demo scenarios via `python3 run.py --demo`, which goes beyond documentation review and can trigger network access, model usage, data processing, or other operational side effects. In a skill advertised as documentation-only, such hidden execution increases the risk of unexpected actions and breaks trust boundaries relied on by users and orchestrators.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script launches integration testing despite the skill being scoped for understanding and reviewing workflow design. Even if tests are local, they may execute additional code paths, consume credentials or services, and create side effects that are inappropriate for a documentation-only context.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The evidence shows operational browser capabilities such as collecting public signals and preparing draft publication, which exceeds the declared purpose of a documentation-only audit/review skill. This mismatch is dangerous because it can enable real-world external actions and data collection under a misleading, lower-scrutiny interface, increasing the chance of unauthorized automation or scope creep.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file includes generated content assets, scoring, authorization state, and iteration planning rather than only structural workflow documentation. This matters because the skill is represented as review-only, yet the evidence reflects active execution outputs, which can conceal functional behavior and mislead reviewers about what the skill actually does.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Browser-driven collection of platform signals is not necessary for a skill whose stated purpose is understanding or auditing workflow design. In this context, the capability is more dangerous because the documentation-only framing lowers expectation of live external interaction, making hidden collection behavior harder to detect and govern.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Preparing draft publication is an action-oriented capability that goes beyond passive documentation or review. Even if not directly publishing, draft preparation can facilitate unintended outbound content creation and operational use, especially when bundled into a skill that users and reviewers may trust as non-executing documentation support.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file's behavior materially contradicts the declared skill purpose: instead of providing structural documentation or review-only functionality, it executes the full workflow, including generation, competitor processing, authorization checks, and browser-related actions. This capability mismatch is dangerous because users, reviewers, or policy gates may authorize the skill under a low-risk documentation-only assumption while it actually performs operational actions and processes live inputs.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Spawning multiple operational subprocesses is inconsistent with a documentation-only skill and expands the execution surface beyond what the user and platform would reasonably expect from the description. That mismatch increases the risk of hidden behavior, policy bypass, and unintended code execution through auxiliary scripts that are not visible in the declared review-only interface.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill performs competitor-intelligence processing plus authorization and browser-compliance actions despite being presented as documentation/review only. In context, that hidden operational scope is risky because it may trigger data collection, external interaction, or user-assist flows under false pretenses, undermining informed consent and security review boundaries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file performs real LLM-powered analysis of competitor data, which materially exceeds the stated documentation-only purpose in the skill metadata. This creates a capability mismatch that can lead to undisclosed data processing, unexpected external calls, and user trust violations because raw competitor content and brand context are actually analyzed rather than merely documented.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The import of an LLM gateway client enables external/model invocation in a skill described as structural documentation only. In this context, hidden execution capability is dangerous because it expands the trust boundary and allows outbound processing of supplied content without the narrow purpose users would reasonably expect from the manifest.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring explicitly states that the script reads raw scraped data and calls an LLM to extract marketing signals, contradicting the manifest's documentation-only positioning. This inconsistency is a security-relevant transparency failure because operators and users may approve or invoke the skill under false assumptions about what data processing actually occurs.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This code performs live network retrieval using arbitrary configured URLs and Jina, which exceeds a documentation-only skill’s declared purpose. In this context, hidden fetch behavior increases the risk of undisclosed data egress, unexpected external dependencies, and misleading users or reviewers about what the skill actually does.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script persistently stores fetched competitor content under an evidence directory, creating local data retention that is not justified by a structural-documentation skill. Undisclosed persistence can expose sensitive browsing targets, fetched content, and operational traces to other local processes or future users of the environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads a Brave API key from a user-home configuration file without any visible disclosure or permission boundary. For a documentation/review skill, silently harvesting local credentials is unjustified and expands the skill’s effective privileges beyond what a user would reasonably expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section actively collects competitor data from external services using configured URLs and Brave search, which is materially different from a documentation-only workflow. In the stated skill context, this mismatch is dangerous because it enables covert external communication and collection behavior under a benign-seeming interface.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module explicitly states it generates real multi-channel marketing content from brand and competitor inputs, which materially conflicts with the skill's declared documentation/audit-only purpose. This creates a capability mismatch that can mislead users and reviewers, and may cause sensitive business inputs to be processed by an external model in a context where only structural review was expected.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code path builds a prompt from user-supplied business data and performs live LLM-backed content production, not merely workflow documentation or audit. In this skill context, that mismatch is security-relevant because it expands functionality beyond declared boundaries and increases the risk of undisclosed handling of sensitive brand strategy and competitor data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Importing and using an external LLM client is context-inappropriate for a skill advertised as structural documentation and workflow review. While external model calls are not inherently unsafe, in this setting they enable undeclared data egress and hidden execution of a broader capability than users were led to expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal