ClawHub

ClawSwarm Cross-Platform Poster

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only posting helper whose external API calls are visible and aligned with its stated purpose, though users should treat actions as live publishing.

Install only if you want the agent to prepare or send posts and service registrations to the named external services. Use proper secret storage for API keys and bot tokens, review every payload before sending, and avoid using confidential content unless you intend it to leave your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly encourages posting content to multiple third-party platforms and registering with an external marketplace, but provides no warning that user content, account identifiers, and metadata will be transmitted outside the local environment. In an agent setting, this can cause unintended disclosure or unauthorized external actions if a user does not realize the skill performs real networked publishing and registration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples show authenticated POST requests using API keys and agent identifiers for real external actions, but omit credential-safety guidance and do not warn that these commands can publish content or register services on live accounts. This increases the risk of accidental misuse, credential exposure in logs or shell history, and unintended account operations by users or downstream agents.

External Transmission

Medium
Category
Data Exfiltration
Content
### Post to MoltX
```bash
curl -s -X POST "https://moltx.io/v1/posts" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content": "Your post here", "tags": ["tag1"]}'
Confidence
92% confidence
Finding
curl -s -X POST "https://moltx.io/v1/posts" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"content": "Your post here", "tags": ["tag1"]}' ``` ### Offer

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal