ClawHub

PostNitro Carousel Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PostNitro carousel-generation helper, with the main caution that submitted content and URLs go to PostNitro and may use account credits.

Before installing, verify you trust the publisher and PostNitro account you are connecting. Use a scoped or dedicated API key if possible, expect carousel generation to spend credits, and do not submit private drafts, internal URLs, personal data, secrets, or regulated content unless you are authorized to send it to PostNitro.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description is extremely broad and can cause the skill to activate for many generic requests about social posts, slide decks, or turning text into content. That increases the chance the agent will route unrelated or sensitive user material into this skill and then onward to a third-party API without the user clearly intending to use PostNitro.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-provided text, article URLs, and X/Twitter URLs to PostNitro, but it does not present a clear privacy warning or obtain explicit consent before transmission. This is dangerous because users may provide confidential drafts, internal documents, or tracking-bearing URLs without realizing their data is being shared with an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API reference instructs users to send arbitrary text, article URLs, and X URLs to a third-party remote service but does not clearly warn that this content leaves the local environment and may contain sensitive or proprietary data. In an agent skill context, that omission can cause users or downstream agents to transmit confidential content, internal links, or personal data to PostNitro without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. Generate a carousel with AI

```bash
curl -X POST 'https://embed-api.postnitro.ai/post/initiate/generate' \
  -H 'Content-Type: application/json' \
  -H "embed-api-key: $POSTNITRO_API_KEY" \
  -d '{
Confidence
91% confidence
Finding
curl -X POST 'https://embed-api.postnitro.ai/post/initiate/generate' \ -H 'Content-Type: application/json' \ -H "embed-api-key: $POSTNITRO_API_KEY" \ -d '{ "postType": "CAROUSEL", "templ

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal