ClawHub

Fanvue

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Fanvue API helper, but it can use powerful OAuth access to read private creator data and publish or message from the account.

Install only if you are comfortable giving an agent Fanvue account access. Use least-privilege OAuth scopes, keep client secrets and refresh tokens private, and require confirmation before any post, mass message, deletion, paid content change, or action involving subscriber or earnings data.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

A token with these scopes could read chats, media, subscriber and earnings data, and perform actions on the creator account until the token is revoked or expires.

Why it was flagged

The documented OAuth scopes can provide persistent access, private media access, financial/subscriber reads, and account write authority. This is aligned with the Fanvue management purpose, but it is powerful.

Skill content
`offline_access`, `offline`, `write:chat`, `write:post`, `read:media`, `read:insights`, `read:subscribers`
Recommendation

Grant only the scopes needed for a specific task, use a dedicated OAuth app, protect the client secret and refresh tokens, and revoke access when no longer needed.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

An accidental or poorly reviewed action could send messages to many fans, publish content, or delete account data, affecting reputation and revenue.

Why it was flagged

The skill exposes high-impact write and delete operations for public/account content and fan communications. These operations match the stated purpose but should be user-controlled.

Skill content
### Send Mass Message ... `POST /chat-messages/mass` ... ### Create Post ... `POST /posts` ... ### Delete Message ... `DELETE /chat-messages/:id`
Recommendation

Require explicit user approval before posting, sending mass messages, deleting messages, or changing campaign links; preview content, recipients, audience, and price before execution.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less external context to verify who maintains the skill or whether the API guidance is authoritative.

Why it was flagged

The skill does not install code automatically, but the publisher source and homepage are not provided, limiting provenance checks for the included API guidance and examples.

Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Recommendation

Verify the Fanvue developer documentation and OAuth app settings independently before granting account access.