ClawHub

autoecom

Security checks across malware telemetry and agentic risk

Overview

This skill automates scheduled ecommerce carousel creation and social posting, and its sensitive behaviors are broadly disclosed and aligned with that purpose.

Install this only if you want recurring social-media automation for an ecommerce store. Use dedicated Gemini and Upload-Post keys, confirm the Upload-Post profile points to the intended accounts, keep TikTok in draft mode unless you deliberately choose direct posting, review the exact scheduled routines before accepting them, and periodically inspect or delete the learnings/history files if you do not want long-term performance data retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to install recurring routines and even modify system cron, which is a privileged persistence mechanism beyond one-off carousel generation. Persisting execution on the host can surprise users, continue activity after the session ends, and repeatedly trigger networked actions or message delivery. In an agent setting, scheduler installation materially increases blast radius because it creates ongoing autonomous behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata describes carousel generation and publishing, but the code also implements analytics-driven learning and reflection workflows that collect, analyze, and persist additional behavioral data. This hidden scope expansion is risky because users may authorize a content tool without understanding it also profiles performance and editing behavior over time.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This section fetches post analytics from Upload-Post and sends aggregated performance data to Gemini to rewrite HOT_HOOKS.md and HOT_IMAGERY.md. That materially exceeds the advertised carousel-generation behavior and creates an undisclosed data-sharing and profiling path to another third party.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reflect workflow compares proposed versus published content to infer the user's qualitative preferences and writes those observations to disk. Inferring approval/edit patterns is a form of behavioral profiling not stated in the manifest, making the skill more privacy-invasive than advertised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The candidate logging stores structured summaries of proposed plans so later workflows can infer user preference patterns from what changed or shipped. That collection is not clearly necessary for basic daily carousel publishing and increases privacy risk through durable behavioral records.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The help text says TikTok draft mode 'never auto-publishes', but the code accepts '--tiktok-mode direct' and maps it to DIRECT_POST. This mismatch can cause users or higher-level agents to believe posting is review-gated when the tool can actually publish live content immediately.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description is broad enough that ordinary ecommerce-content conversations could accidentally trigger a workflow that reads env secrets, accesses the network, writes files, and may post content. Over-broad activation is risky when the skill has side effects and external transmission capabilities. In this context, accidental invocation could lead to credential prompts, scraping a store, or preparing publish actions without the user explicitly intending to run the automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell the agent to collect API keys from chat and persist them into a local .env file, but only warn about log exposure after the fact. Secrets shared in conversation may be stored in chat logs, telemetry, and local files with unclear permissions, expanding their exposure surface. Because these keys enable external API use and publishing, compromise could lead to account misuse and unauthorized posting or billing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The publish command sends slide images, captions, hashtags, and profile identifiers to a third-party API without any in-function disclosure or confirmation at the point of transfer. In this skill context, external transmission is expected, but undisclosed transfer still matters because it includes potentially brand-sensitive creative assets and account-linked metadata.

Ssd 3

Medium
Confidence
95% confidence
Finding
Directing the agent to solicit secrets from chat and store them on disk is a concrete secret-handling vulnerability. Chat channels are not appropriate secret-entry paths, and writing credentials to .env creates persistent local exposure if permissions, backups, or multi-user environments are not controlled. Given that these credentials authorize model calls and social-posting APIs, theft can cause financial loss and account abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal