ClawHub

mar-content-ideas-generator

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates social post outlines, with disclosed local file output and an optional external URL-scraping workflow users should treat carefully.

Install only if you are comfortable with generated outlines being saved under content-ideas and with any provided URLs being fetched through SkillBoss API Hub. Prefer pasting sensitive material directly instead of submitting private, tokenized, or access-controlled links, and review the generated outlines for exaggerated or unsupported claims before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary URLs and sends them to an external scraping service, which expands its behavior beyond simple user-provided text transformation. This creates a real data-flow and trust-boundary issue because remote content is fetched and processed off-system, potentially exposing internal URLs, private resources, or unexpected content without adequate restriction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not clearly disclose that URL inputs are transmitted to an external scraping API. Users may reasonably believe they are only providing reference material to the local skill, when in fact submitted URLs trigger third-party processing and data transfer.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill specifies that outputs are written to a local markdown file but does not prominently warn users about this persistence behavior. While lower risk than external transmission, silent file creation can expose sensitive source-derived content to other local users, tools, or later workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal