ClawHub
Back to skill

Security audit

hum

Security checks across malware telemetry and agentic risk

Overview

This looks like a real social-content automation skill, but it needs review because it can use sensitive social credentials, publish or follow from user accounts, send digests externally, and has some under-gated side effects.

Review before installing. Use it only with accounts you are comfortable automating, store API tokens and X session cookies securely, and do not run publishing, following, digest sending, analytics scraping, or image generation unless you have confirmed the target account, recipient, content, and provider. Treat --dry-run as unreliable for the loop until fixed, and avoid starting the dashboard around untrusted web browsing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Tainted flow: 'req' from os.environ.get (line 104, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
        )

        with urllib.request.urlopen(req, timeout=30) as resp:
            data = json.loads(resp.read().decode())

        enhanced = data["choices"][0]["message"]["content"].strip()
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The browser instructions assert that all requested data is publicly visible without login, but several requested fields such as profile views, search appearances, and post impressions are typically private analytics. This can cause an agent to attempt unauthorized collection from authenticated sessions or mis-handle private account data under a false assumption of public visibility.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
validate() is documented as a pure validation routine, but it performs image generation via an imported module and mutates post.media_path. In an agent setting, callers may invoke validation or preview paths assuming they are side-effect free, which can trigger unexpected external actions, network/API usage, file creation, or cost-incurring operations on untrusted content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
format_preview() calls validate(post), so a function presented as a harmless preview can indirectly generate images and mutate the object. In agent workflows, previews are commonly treated as safe inspection steps, making this hidden behavior especially risky because attacker-controlled drafts can cause side effects during rendering or review.

Intent-Code Divergence

Medium
Confidence
73% confidence
Finding
The module presents itself as a search/feed scraping client, but it also contains a capability to perform account-follow actions on behalf of the authenticated X session. This mismatch is dangerous because reviewers or calling code may treat the file as read-only data access while it can silently mutate the user's account state using harvested session cookies.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script advertises a --dry-run mode that should avoid sending or performing real actions, but the parsed flag is never consulted and the full workflow still executes. In an agent skill, this is especially risky because operators may rely on dry-run for safe testing and instead trigger network fetches, browser-driven actions, or other side effects unintentionally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill specifies that the Morning Digest cron job automatically triggers refresh-feed and Step 4 explicitly sends the digest via Telegram, with no approval gate or opt-in confirmation in the workflow. This creates an unauthorized outbound messaging path that could leak private feed contents, knowledge-source summaries, or behavioral patterns to a Telegram target on a schedule without contemporaneous user consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to fetch from multiple external services and to send a digest via Telegram, but it does not clearly warn the user that running the loop causes outbound network access and transmission of collected content. In an agent-skill context, hidden or under-disclosed exfiltration paths are security-relevant because users may execute the workflow without realizing what data leaves the local environment or which third parties receive it.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents use of X session cookies (`AUTH_TOKEN` and `CT0`) from a local credential file or environment variables, but it does not include a warning that these are highly sensitive authentication artifacts equivalent to active session material. In practice, normalizing use of raw session cookies in skill instructions increases the risk of accidental exposure through logs, shell history, misconfigured files, or downstream tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes a direct publishing capability to X and LinkedIn via APIs, but the description does not prominently warn users that invoking `/hum publish` can perform irreversible external actions on their behalf. In an agent setting, insufficient disclosure increases the risk of accidental posting, reputational harm, and misuse of connected social accounts, especially because the skill also automates drafting and approval workflows that may make publishing feel like a routine local action.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`/hum refresh-feed` collects personal feed data from X home feed, configured profiles, Hacker News, YouTube, and knowledge sources, then sends a digest to Telegram, but the skill description does not clearly disclose this data handling behavior. That creates a privacy risk because users may not realize their personal reading graph, followed-source activity, and aggregated content are being fetched, stored, and transmitted to a third-party messaging service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code explicitly returns browser-scraping instructions that direct an agent to collect profile and recent-post data from X and LinkedIn, but it contains no consent check, authorization validation, or user-facing notice about data collection. In an agent context, this can lead to silent scraping of account analytics and post content from third-party platforms, potentially violating user expectations, platform terms, or privacy requirements.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill instructs collection of profile and recent-post data via browser scraping without any privacy notice, consent gate, or limitation on what may be collected from a logged-in browser context. In an agent setting, this increases the risk of silently harvesting personal or semi-private data from LinkedIn pages beyond what a user expects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When `--update-draft` is used, the script silently modifies the original draft by appending publishing metadata and may also move the file into a `published/` directory. In an agent or automation context, this creates integrity and workflow risks because a caller may intend to publish content but not realize the source file will be altered or relocated, which can break downstream tooling, overwrite expected state, or cause loss of the original draft location.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When image_prompt is set and media_path is absent, validate() automatically invokes image generation without explicit user confirmation and only logs after the action. In this skill context, drafts and prompts may come from untrusted or semi-trusted content, so automatic generation can leak data to external services, create unexpected files, consume credits, or trigger prompt-injection-style downstream effects in the image generation component.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file exposes follow_accounts(), which can cause authenticated account actions without any confirmation, policy check, or visible user warning in this layer. In an agent/skill context, that makes unintended or covert social-graph manipulation more likely because a higher-level caller can trigger follows using the user's session tokens with little friction or auditability.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This provider sends the user's image prompt to Google's Gemini service, but this file contains no enforcement of user notice, consent, or policy gating before third-party transmission. In a skill/agent context, prompts may contain sensitive business, personal, or regulated data, so silent transfer to an external vendor creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This code transmits prompts to xAI's external API without any user-facing warning or in-file safeguard that consent or data-classification checks have occurred upstream. In agent environments, prompts often embed confidential instructions or user data, making undisclosed third-party sharing a meaningful privacy exposure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The MiniMax provider forwards prompts to an external service without any built-in disclosure, consent, or sensitivity screening in this component. That can expose confidential prompt content to a third party if higher layers do not warn users or restrict use.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This OpenAI provider transmits prompt contents to an external image API without visible notice or guardrails in this file. In an agent skill, that is significant because prompts can contain sensitive user data, internal context, or proprietary instructions that should not be silently shared with a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script performs a state-changing action on the user's X account by issuing a POST to the follow endpoint as soon as handles are provided, with no interactive confirmation, dry-run mode, or secondary authorization step. In an agent/skill context, that makes unintended follows easy to trigger through prompt injection, misunderstood user intent, or silent chaining from other tools, causing unauthorized account actions and reputational harm.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal