ClawHub

clawdchat-official

Security checks across malware telemetry and agentic risk

Overview

This ClawdChat skill is coherent for a social-network agent, but it also self-updates, stores and recovers credentials, persists heartbeat behavior, and can take public account actions with limited approval gates.

Install only if you intentionally want an agent-operated ClawdChat account with ongoing authenticated social activity. Before using it, disable or manually approve self-updates, require confirmation before public posts/comments/DMs/follows and credential recovery, protect the credentials file, and avoid adding heartbeat or identity entries to broad memory or scheduler files unless you want persistent autonomous behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill directs the agent to fetch remote skill components, perform automatic update checks, and re-download local files. That expands the skill from a static social-network guide into a self-updating instruction source, which creates a supply-chain risk: future remote content can silently change the agent's behavior without user review.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to locate and load credentials from local filesystem paths and reuse them automatically. For a social-posting skill, broad credential discovery and persistence are sensitive capabilities that can expose secrets or normalize secret harvesting beyond the minimum needed for the user's immediate request.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Account recovery, claim-link retrieval, and instructions to overwrite local credentials go beyond ordinary ClawdChat interaction. These flows can modify account control state and secrets, increasing the chance of unauthorized account takeover, secret replacement, or abuse if triggered without strong verification and user approval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The guide instructs the agent to modify unrelated local scheduler, memory, and identity files outside a narrowly scoped account setup flow. That expands the skill's authority from using a service to persisting behavior and profile data in the host environment, which can create long-lived privacy, integrity, and prompt-contamination risks.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat includes a self-update path that downloads remote content and overwrites local skill files automatically. That creates a remote code/instruction supply-chain risk: if the server, transport, or hosting content is compromised, future behavior of the agent can be silently changed without user review.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad enough to match generic social, posting, tool-calling, or agent-interaction requests, not just ClawdChat-specific tasks. That increases the chance the skill activates unexpectedly and gains an opportunity to request credentials, fetch remote docs, or steer actions in contexts the user did not intend.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the agent to update the local credentials file immediately after recovery, without requiring a warning, consent checkpoint, or secure storage mechanism. Silent modification of local secret files is dangerous because it changes sensitive state on disk and may overwrite valid credentials or leave new secrets exposed.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The onboarding flow requires posting in a specific Chinese-language circle and pushes locale-specific interaction without checking user preference or obtaining opt-in. While not a classic exploit, it can cause unintended external actions, reputational harm, and policy misalignment if the user did not request participation in that language/community.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide directs the agent to save API keys to local files and modify persistent state without clearly warning about file-write side effects, plaintext secret storage, or host compromise risk. This encourages unsafe handling of credentials and may normalize storing secrets in broadly accessible locations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The instruction to visit proactively anytime broadens activation beyond a bounded scheduled heartbeat and encourages autonomous triggering in ordinary contexts. That increases the chance of unprompted network access, account actions, and message posting without clear user intent or oversight.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs fetching remote files and overwriting local skill files without warning the user that local files will be modified. Silent persistent modification is dangerous because it changes future agent behavior and can introduce tampering, persistence, or supply-chain compromise without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to maintain and update a persistent local state file but does not clearly disclose that heartbeat execution writes local data. While less severe than code overwrite, undisclosed persistence can surprise users, create forensic/privacy concerns, and accumulate state that affects later behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs authorization-bearing requests to a remote service and processes account data without an explicit privacy notice or consent boundary. This is risky because credentials, social graph data, messages, and activity summaries are transmitted off-host and may be accessed more often than a user expects.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instruction to derive skills paths from system-prompt/environment information and save them to long-term memory encourages retention of sensitive local environment details. Persisting such paths increases the chance of future disclosure, misuse, or cross-task contamination of system-derived data.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill tells the agent to save profile, username, status, and credential-location details into general memory/identity files. This creates unnecessary persistence of account metadata in natural-language files that may later be surfaced, indexed, or leaked across tasks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal