ClawHub

auto-reply

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its Instagram DM automation purpose, but it needs review because it uses browser session cookies, reads and sends private DMs, can run continuously, and may forward DM previews to Discord.

Install only if you intentionally want this skill to access the Instagram account already logged into the OpenClaw browser. Use a dedicated account or browser profile, keep the browser debug port local and protected, avoid enabling the background watcher unless continuous monitoring is desired, and do not set Discord credentials unless you accept private DM snippets being sent to Discord.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises operational capabilities that require environment and network access, but does not declare permissions accordingly. This creates a transparency and consent problem: users or orchestrators may invoke a skill that can access local state and external services without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates materially sensitive behavior: extracting Instagram session cookies from a local DevTools endpoint, using internal Instagram APIs, and sending notifications via Discord. That mismatch is dangerous because it hides credential handling, non-public API usage, and third-party data transfer from the user, increasing the risk of unauthorized account access and privacy violations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script does more than passively check notifications: it extracts authenticated browser cookies and CSRF data from a live Instagram session, then uses them to query Instagram's inbox API directly. That grants the code access to the user's authenticated session material and private DM metadata/content without an explicit user-consent flow, which is highly sensitive and exceeds what a simple notifier should need.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Using Chrome DevTools Protocol over WebSocket to enumerate tabs and extract cookies/session identifiers is a powerful credential-access capability. In the context of an auto-reply/checking skill, this is disproportionate and creates a path to session theft, account misuse, and broad access to other authenticated browser state if reused or extended.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code exfiltrates private Instagram DM previews to Discord, which is outside the stated Instagram-only monitoring and reply workflow. This creates an unnecessary cross-service data flow of sensitive message content and identities, increasing privacy, compliance, and breach exposure if the Discord bot, channel, or recipient is misconfigured or compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill accesses Discord bot credentials and invokes Discord APIs even though its described purpose is Instagram DM auto-reply. This hidden capability expands the trust boundary and attack surface, and could leak sensitive data or enable unauthorized messaging if the token or destination settings are abused.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description promises an injection-rejection security check for DM handling, but the reply flow accepts arbitrary message content and forwards it directly to Instagram's internal API without any validation or policy enforcement. In an agent setting, this can let prompt-injected or attacker-controlled DM content influence automated outbound actions, causing unauthorized replies or unsafe workflow decisions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code connects to a local Chrome DevTools Protocol endpoint, enumerates browser pages, and extracts authenticated Instagram cookies including csrf and user identifiers, then reuses them for direct API calls. This is effectively credential/session harvesting from the local browser, and if the skill is invoked unexpectedly or by a broader agent workflow, it grants full access to the user's Instagram session without a normal OAuth or consent boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that the watcher can send Discord notifications but does not clearly warn that Instagram DM-derived data may be transmitted to Discord during monitoring. This is a privacy and data-handling issue because message metadata or contents from one platform may be exfiltrated to another service without clear user awareness.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script silently collects cookies, CSRF tokens, and user identifiers from the browser session and reuses them in authenticated requests without any user-facing disclosure or approval. Even if the destination is Instagram itself, undisclosed handling of authentication material and private-message access is a serious privacy and security issue.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script persists DM-derived state to a local file to track whether messages are new. While the stored value is limited to usernames and timestamps rather than full message bodies, it still creates a local record of private communication metadata without disclosure, which can leak sensitive information if the host is shared or compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes recent DM contents, usernames, and thread identifiers to dm-alert.json on disk without any visible disclosure, retention control, or access restriction. Persisting sensitive communications locally increases exposure to other local users, malware, backups, and accidental sharing.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script forwards private DM previews and usernames to Discord without clear disclosure or demonstrated necessity for the Instagram auto-reply workflow. Transmitting private communications to a third-party platform materially increases confidentiality risk and may violate user expectations or policy requirements.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Sensitive Instagram session cookies are collected from the browser and then used in outbound requests with no user-facing disclosure, consent prompt, or transparency about the security implications. In an agent skill context, hidden access to authenticated sessions is especially dangerous because users may believe the tool is only reading DMs, while it actually acquires reusable session credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal