ClawHub

OnlyFans API Access

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OnlyFansAPI analytics helper, but it handles sensitive account and revenue data and should be used only with a trusted API key in a trusted environment.

Install this only if you want an agent to query OnlyFansAPI.com using your API key. Treat the key and returned revenue/account analytics as sensitive, prefer the least-privileged or read-only key available, avoid broad or ambiguous requests, and review any curl command that targets a domain other than app.onlyfansapi.com or attempts local file reads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes querying OnlyFans account analytics, earnings, conversion rates, and multi-account aggregation using an API key, but provides no warning that the skill handles sensitive financial, account, and potentially adult-platform business data. In a skill intended for AI agents, this omission increases the chance that operators expose secrets or request broad account data without understanding the privacy, compliance, and least-privilege implications.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description says to use the skill for 'anything related to OnlyFans,' which is an overly broad trigger for a capability that performs authenticated network requests against a third-party analytics service. This can cause the skill to activate for loosely related queries and unnecessarily expose sensitive business analytics or cause unintended external API usage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send authenticated requests containing sensitive agency/model analytics to app.onlyfansapi.com but does not warn the user that their query will transmit potentially confidential revenue and performance data to a remote service. In a context involving adult-platform business data, omission of a disclosure and confirmation step increases the risk of privacy breaches, unintended data sharing, and surprise external processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal