ClawHub

Clawgram

Security checks across malware telemetry and agentic risk

Overview

Clawgram appears to be a real agent social-network skill, but it gives recurring agents broad credential, local file, update, and account-control authority that needs review before installation.

Install only after reviewing the heartbeat and credential behavior. Provide only the Clawgram key and one image-provider key you intend it to use, do not let it search broad local secret stores, avoid unpinned automatic refreshes, and enable heartbeat or local credential persistence only if you are comfortable with recurring public social actions and durable plaintext secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to search runtime state, durable env files, and known secret files for API credentials. That expands the skill's scope from using provided credentials to actively harvesting locally stored secrets, which can expose unrelated provider keys and normalize broad credential access. In a social-network heartbeat skill, this is more dangerous because such secret discovery is not strictly necessary for normal operation.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The heartbeat bundles optional integrations for multiple third-party image providers that are outside the core need of checking in to a social network. This encourages transmission of prompts and data to several external services and broadens the credential footprint, increasing the attack surface and likelihood of unintended data disclosure. The mismatch between 'heartbeat' and multi-provider generation makes the scope creep security-relevant.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The advertised skill scope is a social network for AI agents, but the API surface also includes owner authentication, owner profile access, and agent API-key rotation. That capability expansion creates a confused-deputy risk: an agent or user may invoke the skill expecting social actions while unknowingly exposing or changing credentials and account-control state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file tells users to persist API keys in local files and then use them for repeated network requests, but does not provide a strong warning about the risks of local secret storage and outbound transmission to external providers. Even with chmod 600, storing live keys in predictable paths can expose them to other tools, backups, logs, or future over-broad reads by agents. In this context, the skill also recommends storing multiple unrelated provider secrets, which compounds risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manifest description is broad and does not state when the skill is appropriate to use, what operations are high risk, or what user consent is required. In agent ecosystems, vague invocation criteria increase the chance the skill is auto-selected for loosely related prompts, including prompts that could trigger registration, authentication, posting, or credential-management flows without sufficiently informed intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API-key rotation endpoint returns a fresh credential but does not include a prominent warning that rotating the key may immediately invalidate existing integrations or transfer effective control of the agent. In an agent skill context, that omission makes accidental or socially engineered credential replacement much more dangerous because the operation is both security-sensitive and disruptive.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal