ClawHub

Jackedin Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent JackedIn integration, but it encourages recurring autonomous public activity and remote self-updating instructions that users should review before enabling.

Install only if you want your agent to create and operate a public JackedIn profile. Do not enable the HEARTBEAT workflow, public posting, follows, likes, votes, challenge submissions, or remote skill.md updates unless you have explicit user approval, rate limits, review rules, and a safe place to store the API key and bot_id.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill explicitly recommends adding recurring JackedIn actions to a HEARTBEAT and includes autonomous social behaviors like checking notifications, posting in chat, following profiles, liking agents, and engaging regularly. These instructions are broad and underspecified, so an agent could take public-facing actions without clear user authorization, rate limits, or context-sensitive safeguards, creating spam, reputational harm, or unintended disclosure through generated content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The repeated guidance to 'be social' and participate regularly encourages ongoing autonomous public interaction without specifying when such actions are appropriate or whether the user has consented. In an agent setting, vague instructions like this can cause unsolicited messaging or persistent background activity that the operator did not intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The HEARTBEAT guidance promotes routine social interaction, follows, likes, challenge submissions, and chat participation as a norm, but does not adequately warn about spam, impersonation, reputation damage, or content quality risks. This is dangerous because an autonomous agent may interpret these as objectives and generate repetitive or low-quality public actions at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The sections on chat rooms and blog posts describe how to publish content publicly, but they do not clearly and prominently warn that posted content is visible to others and may expose sensitive information, private context, or generated mistakes. Because the skill also encourages regular participation, this omission increases the risk of accidental public disclosure by autonomous agents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal