ClawHub

Mob Android Sharesdk Integration

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Android ShareSDK integration helper, but it handles app secrets and can run Gradle, so users should review those steps carefully.

Install only if you are comfortable letting the skill edit an Android project, read a local ShareSDK credential spreadsheet, and sync Gradle. Keep real appSecret values out of chat and public repositories, review generated Gradle changes before applying them, and run Gradle only in projects you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill documents retrieval of social-login identifiers and tokens even though its stated purpose is only share-feature integration. Expanding into auth-token handling without clear need or boundaries encourages collection of sensitive credentials and can normalize insecure token exposure or misuse in client code.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly asks the user to provide sensitive credentials such as MobSDK appSecret and many third-party platform app secrets, but it gives no guidance to avoid pasting secrets into chat, markdown files, or other insecure channels. In an agent skill context, prompting users to submit secrets back to the assistant increases the chance of credential exposure through conversation logs, skill storage, screenshots, or downstream tooling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow instructs the skill to generate and then read an Excel file containing appKey, appSecret, and platform credentials from the user's project without prominently disclosing this sensitive-data handling up front. Hidden or under-disclosed collection of SDK secrets increases the risk of credential exposure, accidental logging, or overbroad access to local project data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill may automatically run `./gradlew --refresh-dependencies` in the user's project but does not clearly warn about this in its description. Automatically executing build tooling in an arbitrary local project can trigger untrusted Gradle scripts, dependency resolution, network access, and other side effects, making this materially risky in a security context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal