ClawHub

Viral Restaurant Marketing

Security checks across malware telemetry and agentic risk

Overview

This skill is a restaurant marketing helper with optional, disclosed Postiz scheduling guidance and no evidence of hidden execution, data theft, persistence, or destructive behavior.

Reasonable to install for restaurant marketing assistance. Before using any Postiz automation, confirm what content, media URLs, schedule times, and account destinations will be sent; keep POSTIZ_API_KEY in a secure environment variable or secret store; and verify customer permissions, review-contest rules, and public marketing claims before posting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents automated transmission of content and media to a third-party scheduling API without a clear user-facing notice, consent step, or data-minimization guidance. If used in agentic contexts, users may not realize that post content, media URLs, and scheduling metadata are being sent off-platform to an external service, creating privacy and confidentiality risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Referencing an external API key in the workflow without credential-handling guidance can lead users to store, expose, or misuse secrets in unsafe ways. In agent environments, this increases the risk of accidental token leakage through logs, prompts, source files, or client-side code, which could allow unauthorized posting or account abuse.

External Transmission

Medium
Category
Data Exfiltration
Content
**Postiz API Integration (if automating):**
```javascript
// Post via Postiz API
const response = await fetch('https://api.postiz.com/v1/posts', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.POSTIZ_API_KEY}`,
Confidence
90% confidence
Finding
fetch('https://api.postiz.com/v1/posts', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
**Postiz API Integration (if automating):**
```javascript
// Post via Postiz API
const response = await fetch('https://api.postiz.com/v1/posts', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.POSTIZ_API_KEY}`,
Confidence
90% confidence
Finding
https://api.postiz.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal