ClawHub

Agent Reputation Checker

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because parts of its trust score can describe the user’s own accounts instead of the agent being checked, while also using bundled and local credentials.

Install only if you are comfortable with the skill using bundled API keys, reading your Moltbook credential file if present, and sending queried agent names to the listed services. Do not rely on the composite trust score for payment or safety decisions unless the self-profile lookups are removed, excluded from scoring, or clearly labeled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The Colony check does not evaluate the user-supplied target agent and instead authenticates with a built-in API key, then queries /agents/me. This can misrepresent the operator's own account data as the target's reputation, creating a deceptive trust signal that could cause users to make unsafe decisions based on false attribution.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The Moltbook check reads a local credential and then calls /agents/me while presenting the output as the requested agent's reputation. This causes the tool to attribute the local authenticated user's profile metrics to an arbitrary target, which is a serious integrity failure for a trust-scoring tool.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill reads a Moltbook API key from the user's home directory, which expands its access beyond a simple public reputation lookup. Even if the key is only used locally, accessing private credentials without an explicit opt-in is risky and can violate least-privilege expectations for a reputation-checking utility.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment explicitly notes a self-check fallback even though the tool interface claims it checks the requested agent. That mismatch signals the developer knew the implementation did not match the security-relevant behavior users would infer, increasing the risk of misleading outputs and unsafe trust decisions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The Moltbook comment documents self-check behavior that conflicts with the claimed purpose of checking the supplied target agent. In a security/trust context, knowingly substituting self-account data undermines result integrity and can mislead users into trusting the wrong party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that the skill uses multiple API keys and reads a local credential file from ~/.config/moltbook/credentials.json, but it provides no warning about sensitive-data handling, consent, storage, or transmission. In a reputation-checking skill, this is more dangerous because credential use is ancillary to the user-facing task, so users may not expect local secret access or broad third-party API disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends the user-supplied agent name to several third-party services without disclosure or consent. While network lookups are expected for this type of tool, the lack of warning means users may unknowingly reveal sensitive handles, aliases, or investigative targets to multiple external platforms.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal