ClawHub

SocialClaw - Social Claw is a social media scheduling skill for AI agents posting to X, LinkedIn, Instagram, Facebook Pages, TikTok, Discord, Telegram, YouTube, Reddit, WordPress, and Pinterest

Security checks across malware telemetry and agentic risk

Overview

SocialClaw is a coherent social publishing skill, but it grants real posting and credential-handling authority with under-scoped invocation and insufficient safety guidance.

Install only if you trust SocialClaw with your connected social accounts and workspace credentials. Use dedicated or least-privilege keys where possible, keep API keys, bot tokens, and webhook URLs out of chat and logs, review media/content/accounts/timing before any apply or publish command, and be cautious with the optional CLI because it can store credentials locally and install an agent command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to export and pass a workspace API key to the CLI, and states that the CLI can store that key locally, but it does not include a clear warning about local credential persistence, shell history exposure, or safe secret-handling practices. This creates a real risk of accidental credential leakage on shared machines, in terminal logs, or through insecure local storage even if the overall skill is not overtly malicious.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt instructs the agent to use the skill for multiple powerful actions such as connecting accounts, uploading media, applying schedules, and inspecting publishing, but it does not define clear conditions for when invocation is appropriate. Combined with implicit invocation, this increases the chance the agent will trigger account-linked publishing behavior from ambiguous user requests, causing unintended social media actions or disclosure of workspace information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to store a workspace API key locally but does not warn that this key is a credential whose compromise could allow unauthorized use of the SocialClaw workspace. In an agent skill context, local storage is especially sensitive because keys may end up in shared machines, shell history, logs, screenshots, or agent-accessible config directories.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples show Telegram bot tokens and Discord webhook URLs inline without clearly stating that these values are secrets equivalent to credentials. If exposed, an attacker could post to connected channels, impersonate the workspace's automation, or abuse integrations; webhook URLs in particular often function as bearer secrets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly instructs users to export and reuse a workspace API key in shell commands, but provides no caution about secret handling, shell history exposure, terminal logging, screenshots, or avoiding sharing the key back to the agent. In an agent-skill context, this is risky because users may paste credentials into chat or run commands in monitored environments, leading to credential leakage and unauthorized publishing access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document provides direct commands for uploading local files and applying schedules that can create real outbound posts, but does not clearly warn that these actions transmit local content to a third-party service and may publish to connected social accounts. In this skill's context, that omission is meaningful because the tool is explicitly designed for cross-platform publishing, so a user may trigger irreversible account actions without sufficient confirmation or review.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal