ClawHub

Social Media Search

Security checks across malware telemetry and agentic risk

Overview

This Monid data-collection skill is mostly coherent, but it asks the agent to persistently install or enable itself and handle API keys, so it should be reviewed before use.

Install only if you want an agent to use Monid for web data collection. Verify the npm package before installing, use a limited and revocable Monid API key, avoid pasting secrets into chat when you can run the key command yourself, and do not allow the skill to save or enable itself for future sessions unless you explicitly approve that persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill’s trigger guidance is extremely broad, instructing use for essentially any web scraping, data collection, research, or generic online retrieval task. This can cause the agent to invoke the skill in situations where it is unnecessary or inappropriate, increasing the chance of over-collection, unintended third-party data transfer, policy violations, or use on sensitive targets without deliberate user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to ask users to paste API keys and then store them via CLI without a prominent warning that API keys are secrets that should not be exposed in chat logs, command history, telemetry, or shared terminals. In an agent setting, this creates a real credential-handling risk because secrets may be retained in transcripts or inadvertently disclosed to other tools, users, or logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal