ClawHub

Zernio API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Zernio API skill that can guide live social posting, but the sensitive behavior matches its stated purpose and is not hidden or automatic.

Install only if you trust Zernio and need its API reference. Treat its examples as live API calls: use test accounts where possible, keep API keys, app passwords, bot tokens, and webhook secrets out of chats, logs, and source code, and require explicit confirmation before publishing, retrying, deleting, bulk uploading, connecting accounts, or configuring webhooks on real social accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The quick-start example submits a real POST request with `publishNow: true`, which can cause immediate publication to a connected social media account if a user copies it verbatim. In an API reference skill, examples are highly likely to be reused directly, so the lack of a warning, sandbox guidance, or safer draft/scheduled default creates a meaningful risk of accidental live posting.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to submit a Bluesky app password directly in an API request, but it provides no warning about secret handling, storage, redaction, or the risks of logging credential material. In an API reference skill, this omission is security-relevant because downstream agents or developers may copy the example into insecure tooling, logs, prompts, or client-side code, exposing long-lived credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes examples that immediately publish content (`publishNow: true`) and retry failed posts without any warning that these actions have real external side effects. In an agent skill context, examples are often copied or operationalized directly, so this can cause unintended social media publication or duplicate posting if used without explicit user confirmation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example demonstrates a POST request that creates a social media post with `publishNow: true`, which can immediately publish content to connected accounts, but it provides no cautionary note about the side effects. In an API reference skill, users may copy this snippet directly into production or testing contexts, increasing the chance of unintended live posting, account misuse, or reputational harm.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation exposes endpoints for downloading third-party media and retrieving transcripts without any caution about copyright, privacy, consent, or acceptable-use constraints. In an agent setting, this can normalize bulk retrieval of third-party content and user-submitted URLs, increasing the risk of misuse, policy violations, and processing of sensitive or unauthorized content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal