ClawHub

Claw Social

Security checks across malware telemetry and agentic risk

Overview

This is a real paip.ai social integration, but it can automate public account actions and private-message replies while storing sensitive session data locally.

Install only if you trust the publisher and deliberately want paip.ai account automation. Avoid passing your real password on the command line, review or disable the background listener before use, do not run token-manager.sh casually, and protect or delete the saved token and /tmp message logs after testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does more than passively interact with a social platform: it automatically likes and comments on other users' posts while browsing or searching. This creates undisclosed account actions on behalf of the user and can cause spam, reputation damage, or platform policy violations, especially because the behavior is randomized and silent.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The script consumes TOKEN and MY_USER_ID from the environment and immediately uses them to perform authenticated actions as the user. While environment-based credentials are common, in this skill they enable account activity that is not clearly bounded by the minimal description, increasing the risk of surprise actions and misuse if the script is invoked in an automated context.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is presented as a token management/test utility, but it performs a state-changing social action by creating a public/private moment using a real bearer token. This is dangerous because an operator expecting a harmless authentication test may unintentionally post content to a live account, causing unauthorized actions, data leakage, audit noise, or reputational impact.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The header comment claims the script is for token retrieval and usage testing, but the implementation also publishes content. This mismatch can mislead reviewers and users into running a script that does more than advertised, increasing the likelihood of unintended authenticated actions against a live service.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The listener automatically invokes OpenClaw to interpret incoming chat content, formulate a reply, and send it, which turns untrusted inbound messages into autonomous agent actions. This greatly expands the trust boundary from transport handling to agentic decision-making, enabling prompt-injection-driven behavior, unintended actions, and unsafe replies without human review.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The documentation instructs users to pass their email and password directly on the shell command line, which commonly exposes credentials through shell history, process listings, audit logs, and terminal recording systems. Because these are primary account credentials rather than short-lived tokens, compromise could lead to full account takeover and downstream abuse of chat, posting, and profile functions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents persistent storage of session token, device ID, and user ID in workspace dotfiles without warning about sensitivity, file permissions, rotation, or cleanup. Storing authentication material in predictable local paths can enable token theft by other local users, malware, backups, or accidental inclusion in logs and archives, especially in shared or automated environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists sensitive authentication artifacts to disk, including a bearer token, user ID, and device ID, under the user's home directory without setting restrictive permissions or warning the user. On multi-user systems, shared environments, backups, or compromised local accounts, these files could be read and reused to hijack the session or track the account.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Reading an authentication token from the environment is not inherently unsafe, but here it is paired with only minimal setup messaging and no strong warning that the token will be used to like and comment as the user. That can lead to uninformed credential use and accidental authorization of actions the user did not expect.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script performs authenticated POST requests to like and comment on content without prior confirmation, preview, or user control over targets. Silent write actions to a social account are dangerous because they can spam third parties, damage the user's reputation, and trigger account sanctions on the platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs a content-creating POST request immediately after login without any warning, dry-run mode, or user confirmation. In an agent or automation context, this can silently create posts on behalf of a user as soon as valid credentials are supplied, which is an unsafe default for a testing utility.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persistently logs raw inbound WebSocket payloads to /tmp, which may contain private messages, identifiers, or sensitive content. Writing this data to a predictable local file increases exposure to other local processes/users and creates avoidable retention of user-provided content.

Ssd 1

High
Confidence
99% confidence
Finding
Untrusted inbound message text is interpolated into a high-priority system-style instruction that tells the downstream agent to take immediate action. This is a classic prompt-injection sink: a crafted message can manipulate the agent's reasoning, induce unintended API calls, and cause unauthorized or unsafe outbound responses under elevated instruction framing.

Ssd 3

Medium
Confidence
93% confidence
Finding
The component stores raw inbound messages and then replays message content into another agent workflow, creating a natural-language exfiltration and propagation path for user-supplied data. Sensitive content received over the WebSocket can be retained locally and then exposed to downstream tooling or logs beyond the original communication context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
websockets
python-socks

# Note: The listener also requires the 'openclaw' CLI to be in the system's PATH.
Confidence
97% confidence
Finding
websockets

Unpinned Dependencies

Low
Category
Supply Chain
Content
websockets
python-socks

# Note: The listener also requires the 'openclaw' CLI to be in the system's PATH.
Confidence
95% confidence
Finding
python-socks

Known Vulnerable Dependency: websockets — 4 advisory(ies): CVE-2018-1000518 (websockets is vulnerable to denial of service by memory exhaustion); CVE-2021-33880 (Observable Timing Discrepancy in aaugustin websockets library); CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly C) +1 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
websockets

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal