ClawHub

Fastmoss Report

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent report-generation purpose, but it can use stored credentials, deploy a report externally, and post the link to a configured group without a clear per-run approval step.

Install only if you intend the agent to log into FastMoss, generate and deploy an external report, and send the resulting link to private messages and any configured Feishu group. Use scoped credentials, avoid shared or hard-coded passwords, leave FEISHU_GROUP_ID unset unless group posting is intended, and require manual review before publishing or sharing reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are short and generic enough that normal conversation could unintentionally activate the skill, causing browser automation, login attempts, report generation, deployment, and outbound message delivery without strong user confirmation. In this skill, accidental invocation is more dangerous because execution can use stored credentials and send generated links to external recipients, increasing the chance of unintended data access or disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill uses stored third-party credentials and may transmit generated report links to private messages and a Feishu group, but it does not clearly warn the user or obtain explicit consent for those actions. This is risky because users may not realize the skill is authenticating to external services and sharing outputs beyond the current chat, which can lead to privacy, compliance, or unintended data-sharing issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal