ClawHub

Moss Skill-9

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks for live browser cookies, can extract local browser sessions, installs broad upstream tools, and includes social posting actions that are under-scoped for its stated setup/read-access purpose.

Review this skill carefully before installing. Use only a dedicated browser profile or throwaway accounts, avoid pasting raw cookies into chat, and do not enable publishing or browser-cookie extraction unless you explicitly trust the upstream tools and understand they may act with your logged-in platform sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as an installer/configurator, but its instructions explicitly extend into operational use of upstream tools for reading content across many platforms. This scope mismatch can cause the skill to activate in situations where users only intended setup help, increasing unintended data access and reducing transparency about what the skill will actually do.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill includes content publishing actions for XiaoHongShu even though its stated purpose is only to install and configure access channels. Adding write-capable social actions creates risk of unauthorized posting, account abuse, and reputational harm if the skill is invoked under the assumption it is read-only setup tooling.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad and overlap with common requests such as 'install', 'configure twitter', or 'enable reddit', which can cause the skill to activate more often than intended. In this context, overbroad activation is risky because the skill can install software, configure proxies, and handle sensitive authentication material.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to export full browser cookie header strings and send them to the agent, but it does not clearly warn that these are live authentication secrets equivalent to account access. If intercepted, logged, or misused, the cookies can enable account takeover, impersonation, and bypass of MFA/session controls.

Ssd 3

High
Confidence
99% confidence
Finding
Requesting full exported browser cookies from the user is a direct collection of session credentials. In a skill that supports many third-party platforms, this is especially dangerous because it centralizes reusable account tokens that could be logged, persisted, replayed, or abused for unauthorized access across services.

Ssd 3

High
Confidence
97% confidence
Finding
The recommendation to auto-extract cookies from the local browser for agent use resembles credential harvesting behavior and grants the tool access to active authenticated sessions. Even if intended for convenience, it materially raises the risk of unauthorized access, over-collection of secrets, and compromise of unrelated accounts stored in the browser profile.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal