ClawHub

Newsletter SEO Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed newsletter and blog SEO workflow that reads local article/project files, runs local validation scripts, and writes a paste-ready output file.

Install if you want an SEO article pipeline and are comfortable with it reading project style/memory files and article drafts, running the included Python helper scripts, and creating a local paste-ready Markdown file. Use trusted companion skills and project folders, and check the target article path before running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to read project files such as `projects/<slug>/writing-style.md` and `projects/<slug>/project.md`, and to create or modify article outputs plus generated `-PASTE.md` files, but it does not declare any permissions. Hidden or undeclared file read/write behavior weakens reviewability and consent, and can lead to unintended access to workspace files when the skill is triggered.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad triggers like 'write article', 'write blog post', and 'write newsletter' can cause the skill to auto-activate for ordinary writing requests, pulling the agent into a multi-step pipeline with file access and script execution that the user may not have intended. Over-broad invocation increases the chance of surprise file operations, incorrect workflow selection, and misuse in contexts lacking required parameters.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal