ClawHub

social-content

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a social-media content helper, but it asks for an API key and describes publishing plus bulk scraping workflows without clear consent or scoping safeguards.

Review before installing. Only provide SKILLBOSS_API_KEY if you trust the provider, can revoke the key, and know which social accounts or services it can access. Treat outputs as drafts unless the agent asks you to approve the exact content, platform, account, and scheduled time before publishing. Avoid the scraping workflow unless you have authorization and it complies with the relevant platform rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs collection of 500-1000+ third-party social posts via a scraping API, expanding scope from content assistance into bulk data acquisition. This creates legal, privacy, and platform-terms risks and could cause the agent to gather and transmit third-party data without adequate user justification or safeguards.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough to activate on many generic marketing or content conversations, increasing the chance that users are routed into a skill containing scraping and scheduling instructions they did not explicitly request. Overbroad activation widens exposure to risky behaviors and can cause unanticipated tool use recommendations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes direct use of a third-party scraping endpoint but provides no user-facing notice that URLs and collected content may be sent off-platform. Lack of disclosure undermines informed consent and increases privacy/compliance risk, especially when collecting third-party content at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal