ClawHub

Content Creation Multi Agent

Security checks across malware telemetry and agentic risk

Overview

This content-creation skill is mostly related to its stated purpose, but it includes broad local-file access, plaintext credential storage, automatic service changes, and GitHub publishing scripts that need careful review before use.

Install only if you are comfortable reviewing and controlling the shell scripts. Avoid granting access to broad Documents or Downloads folders, do not use sensitive files as source material, protect or rotate Feishu credentials written by the setup script, and do not run the GitHub publish/create scripts unless you intentionally want repository publication and understand the token, global credential, remote, and force-push effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README advertises an `auto-create-and-push.sh` script that can create and push to GitHub repositories, which exceeds the narrowly described content-generation purpose and introduces source-control side effects. In an agent/skill ecosystem, unnecessary repo creation or push capabilities can be abused to exfiltrate generated content, secrets, or modify remote repositories without clear user understanding.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document explicitly warns against hardcoding tokens, but then instructs users to place a live GitHub Personal Access Token directly into shell startup files and export commands. Persisting long-lived credentials in plaintext on disk increases the chance of accidental disclosure through dotfile sync, backups, screenshots, shell history, local compromise, or shared workstation access.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The guidance frames environment variables as a secure mechanism, but the provided 'recommended' setup stores the secret permanently in ~/.zshrc as plaintext. That undermines the claimed protection because the token remains recoverable from the filesystem and may be propagated to other systems via dotfile management or backups.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script advertises repository creation and push automation, but it also changes Git credential behavior globally and writes an additional local report file. The hidden global side effect is the more significant issue because it alters the user's broader Git environment beyond this repository, which can lead to unintended credential persistence and surprise behavior.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script collects Feishu App ID and App Secret interactively and later writes them into a JSON configuration file and related local artifacts under the user's home directory. Persisting secrets in plaintext without warning, access control, or safer secret-handling mechanisms increases the risk of credential disclosure through local compromise, backups, sync tools, or accidental sharing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start workflow explicitly instructs the agent to search the web and read a local file from ~/Documents, but it does not warn users that this may access sensitive local data or transmit derived content to external services. In an agent skill, examples strongly influence real user behavior, so missing consent/privacy guidance can lead to unintentional exposure of proprietary or personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This example tells the note agent to read a specific local document but does not disclose that local documents may contain confidential business, personal, or credential-bearing information. Because the file path is user-home scoped, the context makes the omission more dangerous: users are being normalized into granting filesystem access without any warning or minimization guidance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The image-generation example describes searching reference images and generating outputs through a third-party service ('豆包') without telling users that prompts, reference data, or generated assets may be transmitted externally. In a multi-agent content workflow, this can cause silent disclosure of product plans, branding assets, or other sensitive creative material.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to execute a remote script directly with `curl ... | bash`, which prevents meaningful inspection before execution and gives the remote content immediate code execution on the host. If the upstream repository, network path, or referenced script is tampered with, users could execute arbitrary commands, install persistence, or expose local data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README asks users to enter App ID and App Secret but provides no guidance on secure handling, redaction, storage, or least-privilege practices. In a bot/agent setup, these credentials can grant API access to messaging or document systems, so careless collection or logging materially increases compromise risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README shows generated local config files containing `app_secret`, but gives no warning that secrets are being written to disk in plain form. Local secret persistence increases the blast radius of compromise through filesystem access, backups, shell history, logs, or accidental repository inclusion.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly advertises automatic installation behavior that includes creating directories, configuring permissions, and restarting the Gateway, but it does not warn users that these actions modify the local environment and can disrupt running services. In a skill package context, encouraging users to run an install script with side effects increases the risk of unintended system changes or abuse if the script contents are unsafe.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description and examples state that the agent can perform web searches and read local files, but there is no privacy notice, scope limitation, or explanation of how local and retrieved data will be handled. In a multi-agent content workflow, this can lead users to expose sensitive documents or unintentionally mix private local data with externally sourced content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest declares fully automatic installation behavior, including downloading files, setting permissions, restarting the gateway, and generating docs, but does not define explicit user-trigger conditions, confirmation requirements, or safety boundaries. In a skill package, this broad auto-install/auto-activation behavior increases the risk of unintended system modification or service disruption if the package is installed or parsed by tooling that trusts the manifest.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly references external services for image search and Doubao image generation but does not disclose that user prompts, product details, or other request content may be sent to third-party systems. This creates a real privacy and data-handling risk because users may unknowingly submit sensitive business or personal content to external APIs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill advertises very broad image-related keywords and capabilities, which can cause over-triggering for generic user requests and route users into a powerful image-search and generation workflow without clear scope boundaries. In this context, the integration with web, local-files, and a material library increases risk because an overly broad activation surface can expose unrelated content sources or cause unintended content generation behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The keyword list is broad and generic for common social-media tasks, which can cause the skill to activate in contexts beyond its intended use. Overbroad activation increases the chance of unintended routing, policy bypass through misclassification, or inappropriate handling of user requests that should be served by a more specific or safer skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly describes automatically opening a browser, searching the web, and reading webpage content, but it does not warn users that this causes external network access and may expose search queries, browsing activity, or sensitive topics to third-party services. In an agent context, this is risky because users may assume the action is local or harmless, while the skill encourages automated external access without consent, visibility, or privacy guidance.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs users to submit webpage links for the agent to read and summarize, but it does not caution that supplied URLs may contain private, authenticated, internal, or otherwise sensitive content. This can lead users to paste confidential links into an automation flow that fetches and processes data beyond what they intended to expose.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill grants broad search, file-reading, knowledge management, and material-supply capabilities without defining clear invocation boundaries, user-consent requirements, or task-scoped limits. In this context, the danger is increased because it can access local directories such as Documents and Downloads and then supply gathered material to other agents, creating a plausible path for over-collection or unintended disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer automatically clones or updates a remote GitHub repository directly into the user's skills directory and later offers to execute a script from that repository. This creates a software supply-chain risk: if the repository is compromised, renamed, force-pushed, or the network path is tampered with, untrusted code is fetched into a trusted execution location without integrity verification, pinning, or a clear security warning.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script performs `git push -f -u origin main`, which can overwrite remote history without any confirmation or safety check. In an automation context, this is dangerous because a user may irreversibly destroy commits on the remote repository or replace an existing project unexpectedly.

Missing User Warnings

High
Confidence
99% confidence
Finding
`git config --global credential.helper store` enables plaintext-style persistent credential storage for all Git operations on the machine, not just this repository. In a skill script, this is especially risky because it silently broadens the exposure of the provided GitHub token and can leave reusable credentials on disk after the script finishes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The installer silently creates and populates directories under the user's home directory, including agent configuration files with file-access capabilities, without any confirmation or dry-run option. In a skill-install context, automatic persistent modification of user workspace state increases the chance of unwanted trust expansion and unnoticed local footprint, especially when skills are treated as potentially adversarial.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script restarts the OpenClaw gateway automatically after installation without prior user approval, affecting a running local service. In an agent-skill environment, silently bouncing the gateway can activate newly written skill code/configuration immediately, disrupt ongoing sessions, and reduce the user's chance to review changes before they take effect.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal