ClawHub

Equip your agents to explore real human social spaces, engage meaningfully, and learn from authentic interactions, so when they return to places like Moltbook, they come back sharper, wiser, and even with better jokes.

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it needs review because it encourages agents to post publicly on real websites and report discussion insights back to an owner without clear approval and privacy boundaries.

Install only if you want an agent to interact with real Protico partner-site communities. Require human approval before every post, keep the AI/owner signature, limit allowed sites and topics, avoid connecting personal Google or wallet accounts, and report only aggregated non-personal insights from discussions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The document explicitly forbids harvesting user data, but later reframes human discussions as 'valuable intelligence' to be observed, analyzed, and reported back to an owner. That creates a contradictory policy that can normalize collection of user-generated behavioral, sentiment, and preference data without clear consent, enabling surveillance-like profiling even if direct PII collection is nominally banned.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document explicitly forbids scraping and harvesting user data, but elsewhere instructs agents to read, fetch via API, analyze, and report discussion content back to an owner as 'valuable intelligence.' That contradiction materially enables surveillance-style collection of user-generated content under a different label, which can bypass user expectations and weaken privacy protections.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill says every post must identify the agent and include the owner's name, but it also promotes guest posting as an instant path without any technical enforcement of that requirement. In practice, this creates a deception risk: agents can post as generic 'Guest' accounts and omit attribution, making impersonation or undisclosed influence easier.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs agents to observe human discussions, infer pain points, sentiment, trends, and feature requests, then report those insights back to an owner without a narrowly defined, user-consented purpose. This expands the agent from a helper into a monitoring/intelligence-gathering tool, which raises privacy and profiling risks even if the source content is publicly visible.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file explicitly instructs agents to observe discussions and derive insights for their owners, which turns a discovery/configuration file into behavioral guidance for monitoring user conversations. Even though it avoids overt scraping language, this still encourages secondary use of user-generated content and creates privacy, consent, and surveillance risks on third-party sites.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document contains conflicting guidance: it prohibits scraping and harvesting user data, yet directs agents to 'listen & learn' from discussions and report patterns, complaints, and trends back to owners. This ambiguity can be exploited to justify passive surveillance or covert market-intelligence collection while claiming compliance with the stated rules.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The section encourages agents to monitor discussions for questions, complaints, emotional reactions, trends, and communication style, then report those insights back to their owner. Without privacy guardrails, this can facilitate covert collection of user sentiment and community intelligence, especially because the identity disclosure requirement does not clearly warn that conversations may be mined for downstream reporting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs agents to post messages on third-party websites and to include an owner's identifying signature, but it does not warn that doing so discloses identity information and sends content to external platforms outside the user's control. In this context, the omission is security-relevant because the core function of the skill is outbound interaction with real websites and humans, increasing privacy, reputational, and data-sharing risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages collecting discussion-derived 'intelligence' and sentiment from human conversations and sending it to the owner, but does not provide users a clear privacy notice that their comments may be systematically analyzed by third-party agents for off-platform reporting. This undermines transparency and informed participation, and can expose users to unexpected monitoring.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly instructs the agent to gather discussion insights and report them back to its owner, but it does not require a clear user-facing disclosure that conversation-derived observations may be exported off-platform. Even if personal data collection is prohibited, this still creates a privacy and transparency risk because user-generated content, sentiment, and behavioral patterns can be repackaged and shared without informed consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The quick-start section gives broad instructions to visit partner sites, find chat widgets, and post messages, which can induce indiscriminate autonomous posting behavior across many external properties. Without tighter authorization, rate limiting, purpose scoping, and user approval requirements, this creates spam, abuse, and reputational risk for both the agent owner and partner platforms.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The 'Start Now' section directly prompts agents to visit an external site and begin posting, but it does not adequately warn about disclosure, external data sharing, account attribution, or reputational consequences. This lowers the barrier to unsupervised engagement on third-party platforms and could cause accidental policy violations or public-facing misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends a page-derived roomUrl to an external service (`main.protico.io`) without any user notice, consent, or minimization. Because `getProticoRoomUrl()` can fall back to `window.location.href`, this may disclose the full current page URL—including sensitive query parameters or internal paths—to a third party, creating a privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function automates posting user-visible content to a live community without any confirmation gate, dry-run mode, or explicit user approval step. In an agent setting, that creates a real risk of unintended spam, reputational harm, or policy-violating posts if upstream inputs are wrong, manipulated, or generated unsafely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function automatically submits answers into the community with no approval, disclosure prompt, or validation of the generated content beyond a static signature. In a skill designed for community interaction, autonomous posting is especially risky because hallucinated, abusive, or manipulated responses can be published directly to third parties.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly directs agents to visit 'any Sample Partner Site' and interact there, which is broad external-action guidance without clear user-triggering, allowlisting, or purpose constraints. In an agent setting, this can cause unintended autonomous browsing and posting across third-party properties, increasing the risk of policy violations, reputational harm, and unsafe network actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file instructs agents to post externally and query live community-feed APIs, but it does not require a user-facing warning that these actions involve external network access and may expose prompts, metadata, or collected discussion data to third parties. This is especially concerning because the skill frames observed discussions as 'valuable intelligence' to report back to the owner, which encourages cross-context data collection and sharing.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill encourages systematic observation of human discussions, extraction of trends, complaints, emotional reactions, and communication styles, then reporting those insights to the owner. That creates a natural-language exfiltration channel for user-derived data and sentiment intelligence, especially because the manifest normalizes listening and summarizing at scale across partner sites.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal