ClawHub
Back to skill

Security audit

Brand Marketing Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a brand-marketing workflow, but it includes under-disclosed local credential and messaging-gateway capability that should be reviewed before installation.

Review this skill before installing. It is appropriate only if you are comfortable with brand and competitor data being sent to your configured LLM/search providers, and you should remove or audit gateway_client.py unless you explicitly want Telegram/Feishu messaging through your local OpenClaw gateway token. Do not rely on the bundled benchmark alone as proof of safety.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises substantial capabilities including file access, network access, shell execution, and file writing, yet the manifest does not declare permissions or provide a least-privilege boundary. This creates a transparency and review failure: users may authorize or run the skill without understanding that it can read local config, invoke external services, and execute local commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is a brand-marketing workflow, but the described behavior extends into local configuration access, external API calls, messaging gateway use, testing/regression execution, and browser/login authorization flows. That mismatch is dangerous because users may approve a seemingly narrow marketing tool that in practice has broader data access and action surface, increasing the risk of secret exposure, unintended outbound transmission, and unexpected operational behavior.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script reports regression_pass=1 even when integration tests do not actually pass, which can mask failures and create a false sense of safety around the skill. In a workflow that may be used to gate releases or trust automation quality, this weakens assurance controls and can allow broken or unsafe changes to ship undetected.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module gives the skill the ability to send outbound Telegram/Feishu messages through a local gateway, which is not clearly justified by the stated brand-marketing workflow description. Even if intended for notifications, it creates a data exfiltration and unauthorized messaging path that could be abused to send sensitive content or spam via locally configured bot accounts.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads credentials and configuration from ~/.openclaw/openclaw.json, giving the skill access to external local secrets outside its own scoped inputs. In this skill context, that broadens trust boundaries and enables misuse of locally stored gateway tokens for unintended outbound actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads provider endpoints and API key material from the user's ~/.openclaw/openclaw.json and then uses them for outbound model calls. In a packaged skill, this expands the skill's authority to consume user-scoped credentials and contact arbitrary configured providers, which is more privilege than the brand-marketing description clearly justifies and can enable unintended data exfiltration through the user's own LLM account.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The authorization request is presented only in Chinese for a high-risk boundary action involving publishing, access, and payment authorization. If the user or operator cannot read Chinese, they may misunderstand the prompt and accidentally authorize actions they did not intend, weakening informed consent at a critical approval checkpoint. In a marketing automation workflow that can publish or spend funds, this increases the chance of unauthorized or mistaken approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module sends the full constructed prompt to an external LLM, and that prompt includes brand brief data, target audience details, and competitor insights. If users are not clearly informed that these business-sensitive inputs leave the local process and are processed by a remote model provider, the skill can cause unintended data disclosure and compliance issues.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The function performs network transmission to a local gateway without any user-facing disclosure, confirmation, or visible safeguard in the sending path. In an agent skill, silent outbound messaging is risky because generated content, user data, or internal analysis could be transmitted externally without the operator realizing it.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The module sends arbitrary prompt content plus authorization headers to remote endpoints without any user-facing notice, confirmation, or policy guardrails. Because the endpoint comes from user-controlled configuration, sensitive workflow data may be transmitted to third-party or self-hosted services unexpectedly, increasing privacy and data leakage risk in this marketing automation context.

Ssd 1

Medium
Confidence
94% confidence
Finding
Untrusted competitor raw_text is interpolated directly into the LLM prompt with no delimiting, sanitization, or instruction/data separation. A competitor page can include adversarial text such as 'ignore previous instructions' or output-shaping content that causes the model to disregard the intended task, poison the extracted marketing signals, or emit malformed JSON, which can corrupt downstream automation in this end-to-end marketing workflow.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
print(f"[CACHE] TTL expired for {name}, will re-fetch")

# 智能 auth 跳过
def should_skip_auth(action: str, data_access: str, historical_success_rate: float = 0.0) -> bool:
    if action in RISK_THRESHOLDS["low"]["actions"] and data_access == "public":
        return True
    if historical_success_rate > 0.9:
Confidence
92% confidence
Finding
skip_auth

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal