ClawHub

TokPortal

Security checks across malware telemetry and agentic risk

Overview

TokPortal appears transparent about its purpose, but it gives an agent broad at-scale social-media, spending, upload, and credential access that users should review carefully before installing.

Install only if you intentionally want an agent to operate TokPortal at scale. Use a restricted or low-credit API key where possible, pin and review the tokportal-mcp package before running it, require explicit approval for account creation, publishing, uploads, credential/code retrieval, and paid actions, and avoid exposing returned credentials or uploading private local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly advertises tools that return full account credentials and 6-digit verification codes, but provides no warning about the sensitivity of these secrets or guidance on when they should be accessed. In an agent context, this materially increases the chance of unauthorized credential retrieval, account takeover, or insecure logging/exposure of authentication data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that local files can be uploaded and converted into public URLs, but does not warn users that uploaded media may become publicly accessible. In an agent-driven workflow, this can lead to accidental disclosure of private videos/images, internal assets, or sensitive metadata if users assume uploads remain private.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal