ClawHub

yc

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for startup program automation, but it needs review because it reads live browser session cookies and can submit real applications/account updates with broad agent-driven control.

Review before installing. Use it only if you are comfortable giving an agent access to your YC browser session and letting it submit real updates or applications. Prefer specifying a single Chrome profile, avoid granting persistent Keychain 'Always Allow' access, run dry-run/headed preview modes first, and inspect JSON/application data before live submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The post-install script modifies source files inside a third-party dependency under node_modules without explicit user consent or accurate disclosure. Hidden install-time code rewriting undermines supply-chain transparency and can change security-relevant behavior, especially because the patched package appears related to browser cookie/keychain access.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comment states the script only creates a Claude skill symlink, but the implementation also rewrites third-party dependency code. This mismatch is dangerous because it conceals install-time behavior from reviewers and users, reducing the chance that risky supply-chain modifications are noticed before execution.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it is for startup program discovery, dashboards, and deadlines, but this client can also submit and modify YC weekly updates using the user's authenticated session. That capability expansion is security-relevant because it enables state-changing actions on behalf of the user that may not be expected from the declared purpose, increasing the risk of deceptive or unauthorized account activity.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill description says it is for startup program discovery, dashboards, and deadline tracking, but this file implements application submission, file upload, and video submission to a third-party service. That scope expansion materially changes the trust boundary: users may invoke the skill expecting read-oriented discovery features while it can transmit sensitive founder, company, and attachment data externally.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code defines structures for extensive sensitive personal and business data, including emails, phone numbers, citizenship, education, funding, investor identities, and growth metrics, none of which is suggested by the manifest description. In a skill advertised as discovery/dashboard tooling, collecting and handling this volume of sensitive data without clear disclosure increases privacy and misuse risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README encourages AI-agent-driven submission of weekly updates and applications, including browser automation, without a prominent warning that sensitive personal, business, and application data may be collected, processed, and transmitted automatically. In an agent-skill context, this increases the risk of users authorizing actions involving private data without understanding the privacy implications or review points.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Telling users to click macOS Keychain 'Always Allow' to decrypt Chrome cookies normalizes granting persistent credential-access permissions without explaining the security consequences. If the tool is compromised or overly broad in what it accesses, this permission can enable repeated access to browser-stored authentication material beyond a single approved use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that YC commands read cookies from Chrome/Safari/Firefox but does not provide a clear warning that it is accessing live browser session data. Browser session cookies are sensitive authentication artifacts, so normalizing their extraction without strong disclosure increases the risk of inadvertent credential misuse or overbroad trust.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The application commands are presented as routine workflows, but the documentation does not clearly warn that they can submit real application data, upload files, and interact with live third-party forms. In an agentic context, this raises the chance of unintended submissions, privacy leaks, or irreversible actions being triggered without sufficient user confirmation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI reads authentication cookies directly from local browser profiles to access YC accounts, but it provides no prominent warning, consent flow, or explanation of the sensitivity of this action. Browser-cookie extraction is highly sensitive because it can reuse live authenticated sessions and, in the wrong context, resembles credential theft or unauthorized account access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The SPC application flow collects substantial personal and professional data and can submit it via browser automation, yet there is no clear privacy disclosure, confirmation of what will be transmitted, or submission warning. This increases the risk of accidental disclosure of sensitive PII, especially when loading from JSON files or running automation non-interactively.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code programmatically extracts authenticated browser cookies for startupschool.org and ycombinator.com and returns them as reusable session material. Browser session cookies are credentials; accessing them without an explicit, informed user consent flow and clear disclosure of privacy/security impact creates real credential theft and account-takeover risk if the skill is run unexpectedly, reused in another context, or logs/forwards the cookies.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function auto-discovers and iterates across all Chrome profiles, reading sensitive browser state until it finds a valid YC session. Enumerating every profile expands the blast radius beyond the user's intended account, can access other identities on the machine, and materially increases the privacy and credential-harvesting risk compared with asking for one explicit profile.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function collects and transmits sensitive applicant data, including name, email, phone, LinkedIn, location, and detailed background responses, to Airtable and can submit automatically unless dryRun is set. There is no in-code confirmation, consent checkpoint, or explicit user-facing warning in this execution path, so an upstream caller could cause unintended disclosure of personal data to a third party.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The client posts a full application object containing sensitive founder and company information to a remote endpoint with no evidence in this code of user confirmation, just-in-time notice, or destination disclosure. In the context of an agent skill, silent transmission of such data is dangerous because users may provide it conversationally without realizing it will be sent to an external service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uploadFile method sends arbitrary user-provided file contents to a URL returned by a prior API call, with no validation of the destination origin and no user-facing disclosure. This creates risk of unexpected exfiltration of attachments such as pitch decks or other sensitive documents, especially in an agent context where users may not inspect the target URL.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The submitEmail method transmits a user's email address to a remote service without any visible notice or explicit consent mechanism in this code. While lower sensitivity than full application data, email addresses are still personal data and undisclosed sharing is a privacy issue.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The submitVideo method sends user-provided video-related data to a remote endpoint, but the structure and sensitivity of that payload are not constrained or disclosed here. In a skill whose description does not mention media submission, this undisclosed outbound transfer can surprise users and expose personal content or metadata.

Credential Access

High
Category
Privilege Escalation
Content
- **a16z Speedrun**: No authentication needed (public API).
- **South Park Commons**: Uses Playwright (headless Chromium) to fill Airtable forms — no auth needed.

After installing, run `yc whoami` to verify the connection. If macOS shows a Keychain prompt, click "Always Allow". The CLI auto-detects all Chrome profiles to find your YC session.

## What You Can Do
Confidence
97% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
| Problem | Solution |
|---------|----------|
| `No session cookie found` | Log into startupschool.org in Chrome, then retry |
| macOS Keychain prompt | Enter your password and click "Always Allow" — the CLI needs to decrypt Chrome's cookies |
| Multiple Chrome profiles | The CLI auto-scans all profiles. To pick one: `--chrome-profile "Profile 1"` |
| Using Brave/Arc/other | Try `--cookie-source safari`, or log into startupschool.org in Chrome |
| Speedrun API error | No auth needed — check your internet connection |
Confidence
96% confidence
Finding
Keychain

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
Requires Node.js >= 22.

- **YC Startup School**: Uses cookies from your Chrome browser session — log into [startupschool.org](https://www.startupschool.org/) in Chrome first.
- **a16z Speedrun**: No authentication needed (public API).
- **South Park Commons**: Uses Playwright (headless Chromium) to fill Airtable forms — no auth needed.
Confidence
89% confidence
Finding
cookies from your Chrome browser session — log into [startupschool.org](https://www.startupschool.org/) in Chrome; cookies from (chrome, safari, firefox) | `chrome; cookies from Chrome; cookies | Log

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal