ClawHub

Social Media Dashboard

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it needs review because it can read private logged-in creator dashboards, earnings data, cookies, and browser profiles with weak consent and scoping controls.

Install only if you are comfortable letting the skill control your browser and read private creator dashboard data, including earnings. Use a separate browser profile if possible, avoid sharing raw cookies, close Chrome debugging mode after use, and review or redact any copied dashboard data before sending it to an AI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The document claims the data is 'only stored locally,' but the implementation explicitly automates a browser to fetch remote Zhihu creator and income pages over the network. This is misleading security guidance because it understates that the skill accesses live authenticated account data from a logged-in browser session, which can include sensitive financial and analytics information.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to automate Chrome/Safari via AppleScript and extract page text from authenticated creator dashboards, including earnings, followers, and analytics data, without presenting a clear upfront privacy warning or explicit consent boundary. In this context, the missing notice is dangerous because the skill accesses sensitive account data across multiple sites using elevated browser automation permissions, which increases the risk of over-collection and user surprise.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger condition 'when the user asks to view CSDN data' is overly broad for a skill that automatically opens authenticated creator-center pages and reads account data including income and fan metrics. Without narrower invocation boundaries and explicit confirmation, the skill may collect sensitive account information in situations where the user did not understand that backend pages would be accessed and scraped.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The execution steps instruct the agent to automatically visit logged-in CSDN backend pages and extract page text containing sensitive account data, but they do not provide a proximate warning or consent checkpoint near execution. In this context, browser automation against authenticated sessions increases risk because the skill can read revenue and follower information directly from the user's active account session.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation condition is broad enough that an agent could trigger this skill on a generic request to view Toutiao data without first confirming account ownership, intended scope, or whether the user wants browser automation and credential-backed access. In this context, the skill can access sensitive business metrics and authenticated session state, so ambiguous activation increases the risk of unintended data collection or privacy-invasive behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to check for local Toutiao session/cookie data and reuse it, but it does not require a clear user-facing warning or explicit consent about accessing authentication material. Because cookies can grant direct account access and expose revenue, readership, and account-management data, silently inspecting or using local session data creates significant credential and privacy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is designed to collect creator analytics and income data, which are sensitive account details, yet it does not prominently warn the user that authenticated browser data will be accessed. Because the automation reads `document.body.innerText` from account pages, it may capture more information than the user expects from their logged-in session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The login-check and collection flow silently uses the user's existing authenticated browser session to determine login status and then read account data pages. In context, this is more dangerous because the targeted pages include creator metrics and income information, and the use of full-page text extraction can expose sensitive content without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the user to scrape analytics data from a logged-in Toutiao dashboard, copy it to the clipboard, and paste it to an AI, but provides no warning about privacy, confidentiality, or downstream data handling. This creates a clear data-exfiltration path for potentially sensitive account metrics and identifiers, especially because the data originates from an authenticated session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script drives an already authenticated Chrome session via AppleScript and extracts `document.body.innerText` from sensitive creator-platform pages, which can expose private account analytics, earnings, and fan data without an explicit consent or disclosure step at the point of collection. Because it reuses the user's live browser session, it bypasses normal credential prompts and can access whatever the logged-in user can see, increasing the risk of silent data harvesting if the script is run in an untrusted skill context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill establishes a natural-language disclosure flow by telling the user to extract data from a logged-in publisher backend and paste it into the AI conversation. In context, this is more dangerous because the source is an authenticated account dashboard, so the workflow normalizes transferring non-public business/account analytics outside the original platform boundary.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal