Back to skill

Security audit

Clawbsky

Security checks across malware telemetry and agentic risk

Overview

This Bluesky automation skill is not proven malicious, but it can store login sessions and perform bulk/public account actions with weak safeguards.

Review this carefully before installing. Use only a dedicated Bluesky app password and preferably a test account first. Avoid running the standalone follow-growth or discover-repost scripts unless you have inspected and edited their hardcoded account/path settings. Treat cleanup, unfollow, block, mute, scheduler, RSS, and AI-posting features as account-changing actions; run dry-run modes where available and clear saved sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (35)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares required environment variables and implies networked operation, but does not declare explicit permissions despite handling credentials and performing outbound actions against Bluesky and possibly LLM/RSS endpoints. This creates a transparency and consent problem: users or platforms may not understand the real privilege scope before enabling the skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented description understates the full set of account-impacting behaviors, while analysis indicates additional actions such as follow/unfollow, block/mute, reposting, webhook triggering, and automated growth workflows. Hidden or under-disclosed capabilities are dangerous because a user may authorize the skill for benign posting/analytics while it can perform materially different social-account operations on their behalf.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The inline comment states that mute and cleanup functionality is commented out and requires login, but the cleanup command is actually implemented and performs live unfollow/block/unblock actions. This mismatch can mislead reviewers and operators into underestimating the command's behavior, increasing the chance of unexpected destructive account changes.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script implements automated bulk follow and later unfollow behavior specifically to drive account growth, which is a manipulative capability beyond a normal user-facing Bluesky CLI. In this skill context, the danger is increased because the functionality is explicitly packaged as a growth engine and can perform large-scale account actions using stored credentials, creating abuse, account sanctions, and reputational harm.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code sends the configured webhook secret directly in an HTTP header instead of using it to compute a request signature. That turns the secret into data disclosed to every destination endpoint and any intermediary with access to the request, defeating the normal purpose of a webhook secret and enabling replay or impersonation if that value is reused.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The skill is presented as a broad general-purpose Bluesky automation CLI without clear trigger constraints or guardrails on when account-affecting actions may be invoked. In an agent context, vague invocation scope increases the chance that an orchestrator or user triggers sensitive behaviors unintentionally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The AI generation and scheduling features are described as convenience functions, but the documentation does not prominently warn that they can publish content on the user's behalf, including delayed autonomous posting. This is risky because generated or scheduled content may be inaccurate, policy-violating, or posted at a later time when the user is not actively supervising.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
RSS automation is especially sensitive because it can ingest third-party content and transform or repost it automatically without a clear warning to the user. That creates elevated risk of spam, copyright issues, misinformation propagation, or malicious feed content being published through the user's account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Auto-follow and unfollow tools directly alter a user's social graph and can trigger spam enforcement, reputation damage, or accidental mass account actions if invoked carelessly. In the context of an automation-focused social-media skill, these are more dangerous than ordinary content tools because they can rapidly affect many accounts/users with little oversight.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The test plan directs execution of live account actions such as posting, replying, liking, reposting, following, unfollowing, and optional media uploads against a real Bluesky handle, but it does not prominently warn that these steps will modify a production social account and publish visible content. In an agent or automation context, this can lead to unintended public posts, reputation damage, accidental interactions with third parties, and persistent side effects during testing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function fetches third-party post content and sends it to the LLM to generate replies without any visible disclosure, consent check, or minimization. This creates a privacy and data-handling risk because user-generated content and associated metadata are transmitted to an external AI component, and the skill context amplifies this since it is a social-media automation tool likely to process other users’ content at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The analyze function sends profile or post data, including author handle and textual content, to the LLM without any user-facing warning or consent flow. In a multi-user Bluesky CLI with analytics and automation features, this is more dangerous because it can normalize bulk inspection and external sharing of third-party social data without transparency.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function sends historical engagement and follower history data to a local LLM without any indication of user notice, consent, or data-minimization controls in this code path. Even if the model is local, this still expands the exposure surface for potentially sensitive analytics data and could violate user expectations or deployment privacy requirements.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This code forwards detailed daily stats to an LLM prompt without visible disclosure or privacy safeguards in the function. If those stats contain sensitive behavioral or account activity patterns, they may be unnecessarily exposed to model processing, logs, or downstream observability systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Bluesky session objects to disk in .config/session.json and per-user files under .config/sessions without any access-control hardening, encryption, or user warning. Session tokens are authentication material; if another local user, malware, backups, or accidental file sharing expose these files, an attacker may be able to resume the victim's session and act as that account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module sends untrusted post content and author identifiers to an LLM to generate replies, but this file shows no disclosure, consent, or minimization controls around that data transfer. In a social-media automation skill, that creates a real privacy risk because third-party model services may log or retain user-generated content, including sensitive or personal information contained in posts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The follow-back feature sends profile description and display name/handle to the LLM without any visible notice or privacy guardrails in this file. Because profile text can contain personal, sensitive, or unexpected third-party data, forwarding it to a model service without transparency or consent is a legitimate privacy issue rather than a harmless implementation detail.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function sends full original post text to an LLM to generate a rewritten variation, but there is no indication of user consent, disclosure, or filtering of potentially sensitive content before transmission. In a multi-user social-media automation tool, posts may contain private drafts, business-sensitive messaging, or regulated data, so silently exporting them to a model backend creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cleanup command performs destructive account modifications—unfollowing users and soft-blocking them to remove followers—immediately after scanning, with no confirmation prompt or mandatory preview. In a multi-user authenticated CLI, a mistaken active session, typo, or scripted invocation could cause irreversible social graph changes at scale.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
bulkMute performs account-affecting actions against arbitrary DIDs immediately and in a loop, with no built-in confirmation, preview, or safety interlock. In a CLI/agent context, this makes accidental mass muting or abuse via chained automation much more likely, especially if upstream input is wrong, stale, or maliciously influenced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
bulkUnmute similarly changes account state in bulk without a confirmation or review step. While generally less harmful than muting, it can still expose users to unwanted interactions or undo moderation decisions at scale if triggered accidentally or by unsafe automation.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
cleanupInactiveFollowers can perform irreversible-ish social/account actions by unfollowing many accounts based on heuristic classification, and it proceeds without any final confirmation when dryRun is false. Because inactivity detection treats API errors as inactivity and uses automated criteria, a mistake can lead to large-scale unintended unfollows and relationship damage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This function sends content to an LLM to generate accessibility text, but the file contains no visible disclosure, consent, or warning that user-supplied or user-derived content may be transmitted to a model service. In a social-media automation CLI, users may reasonably expect local content processing, so undisclosed AI handling can create privacy and compliance risk, especially if images or related metadata are sensitive.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script silently loads an authenticated session from a fixed local path and immediately uses it to perform account actions. In a multi-user auth CLI, this increases the risk of unintended account access or misuse if the wrong session file is present, permissions are weak, or the operator does not realize credentialed actions will occur.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs bulk follow operations, potentially up to 1000 accounts, without an explicit confirmation or dry-run step. That makes accidental large-scale account modification easy and, in this skill context, materially increases the chance of abuse, platform enforcement, or unintended actions against the authenticated account.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
sg-post.mjs:6