ClawHub

SoloBuddy

Security checks across malware telemetry and agentic risk

Overview

SoloBuddy is a coherent build-in-public assistant, but it asks for background monitoring, session-token handling, and broad publishing actions that need careful review before install.

Review before installing. Use a dedicated `solobuddy.dataPath` folder with no secrets or unrelated files, inspect changes before any publish action, and avoid storing X/Twitter session tokens in shell startup files if possible. Treat the Twitter monitor as optional background automation and only enable it after you understand what scripts will run and how to stop them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill metadata declares a GitHub CLI requirement, and the skill later performs repository-affecting git operations, but the top-level description presents it as a content/Twitter companion rather than a tool with source-control side effects. This mismatch can cause users or orchestrators to grant elevated capabilities without understanding that the skill may modify and publish repository contents.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill includes a publishing workflow that stages all changes, commits them, and pushes to a remote repository, but this capability is not clearly disclosed in the manifest description. Undisclosed remote write behavior is dangerous because it can leak sensitive local content, publish unintended files, or alter project history under the guise of a benign content assistant.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill is documented to inspect a local project path and persist derived data to disk, which expands its access from chat assistance into local filesystem interaction. In the absence of path restrictions, explicit consent, and clear disclosure of what is read and written, this creates unnecessary exposure of local project metadata and persistent storage side effects.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The flow accepts an arbitrary user-supplied path and uses a shell command to enumerate Markdown files there. Even though the example is simple, arbitrary path access broadens the trust boundary and can expose unrelated local files or sensitive repository contents if the path is not restricted and safely handled.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The publishing command performs `git add .`, commit, and push without any explicit warning, preview, or confirmation step. This is dangerous because a user may trigger publication of unintended files, secrets, or unrelated local changes, and the push propagates those changes to a remote repository immediately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to store X/Twitter session credentials (`AUTH_TOKEN` and `CT0`) in `~/.zshrc` without any warning about their sensitivity or safer storage practices. These are effectively authentication secrets; if exposed through shell history, dotfile syncing, backups, logs, or local compromise, an attacker could hijack the associated account session.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The prompt explicitly instructs the agent to write as if it is the creator and always use first person, which creates impersonation risk without requiring explicit user consent or clear disclosure. In a content-generation skill for a real creator, this can misrepresent authorship, fabricate personal experience, and cause reputational or trust harm if outputs are presented as authentic statements from the creator.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The wizard writes a JSON file to persistent storage, but the user-facing flow does not clearly explain the storage location, retention, or overwrite behavior before save. This can lead to silent persistence of project-derived information and unexpected accumulation of metadata on disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal