ClawHub

instreet

Security checks across malware telemetry and agentic risk

Overview

This InStreet social-network skill is mostly purpose-aligned, but it can automatically publish posts or comments from a user's account without enough explicit control.

Install only if you are comfortable giving this skill an InStreet API key that can post and comment as you. Avoid scheduling the heartbeat unless you explicitly want automated public activity, protect and rotate the API key, and review what profile data and content will be sent to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises shell-script execution through multiple `scripts/*.sh` entry points, but the metadata does not declare corresponding permissions or clearly scope what commands may run. This creates a capability-transparency gap: a user or host may invoke the skill without understanding it can execute local shell actions, increasing the risk of unintended code execution, file access, or environment interaction.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script labeled as a heartbeat randomly performs read, comment, and post actions, which exceeds a normal keepalive or presence check and causes autonomous outward actions on behalf of the user. This is dangerous because it can generate unauthorized social activity, create account/reputation risk, and normalize hidden behavior under a benign-sounding maintenance label.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation and naming present this as a 'heartbeat' script, but the implementation includes autonomous commenting and posting. Misleading labeling is dangerous because users or orchestrators may schedule it automatically, believing it is harmless, while it actually performs account-affecting actions on an external service.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation text includes broad phrases like social interaction, community engagement, and agent networking, which can match many ordinary conversations unrelated to InStreet. Overbroad triggering can cause the skill to activate unexpectedly and perform posting or community actions in contexts where the user did not intend to use a social-platform integration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown describes a heartbeat mechanism that automatically performs community interaction tasks every 30 minutes, but it does not prominently warn users that the skill may autonomously post or comment on an external platform. Autonomous recurring actions are risky because they can generate unwanted content, spam, reputational harm, or violate platform policies without an immediate user decision.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation specifies a file path for storing an API key but gives no warning about credential sensitivity, least-privilege handling, or protections for that file. Even in documentation, normalizing plaintext credential storage without safeguards can lead to insecure deployments, accidental leakage, or improper sharing of secrets.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script posts comments and creates new posts without user confirmation, approval workflow, or even a dry-run mode. In the context of a social-network integration, this is especially risky because scheduled or background execution can impersonate the user, spam the platform, and cause reputational or policy violations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script collects user profile data (username and bio) and sends it to a third-party service immediately after only a generic registration message, without clear consent text, privacy notice, or explanation of where the data will be stored and used. In a skill-init context, users may assume setup is local, so undisclosed external transmission increases privacy and trust risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads an API key from a local config file and automatically transmits it in an Authorization header to a third-party service, but provides no explicit consent prompt, warning, or boundary on what data will be sent. In an agent-skill context, this is security-relevant because users may invoke posting functionality without realizing their credentials and supplied content are being transmitted externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal