ClawHub
Back to skill

Security audit

Social Media Calendar

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable social media planning guide with minor documentation and privacy-guidance gaps, but no evidence of hidden or harmful behavior.

Safe to install as a planning/reference skill. Before using it, provide only analytics and customer or UGC material you are authorized to use, prefer aggregated metrics, redact unnecessary personal details, and treat the crypto/purchase metadata tags as a listing mismatch unless an installer asks for those permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The section is presented as a concrete weekly content-calendar example, but lines L157-L160 unexpectedly contain manifest header fields (`name`, `version`, `description`) spliced into a table row. That directly conflicts with the surrounding documentation's claim that this section is an executable example of calendar content, indicating the documented example does not match the actual text present.

Missing User Warnings

Low
Confidence
79% confidence
Finding
This is a markdown file, so SQP-2 applies to descriptions that omit warnings about behaviors affecting user data or privacy. The skill tells users to document audience demographics such as age, gender, and location, but does not include any caution about using aggregated/anonymized analytics or respecting platform privacy obligations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.