ClawHub

App Store ReviewReply

Security checks across malware telemetry and agentic risk

Overview

The skill matches its App Store review-reply purpose, but it uses high-impact App Store credentials, shares review content with third parties, and can replace existing public replies without a separate confirmation step.

Review before installing. Use a least-privilege App Store Connect key limited to the intended apps, confirm that sending review text and reviewer details to Anthropic and Telegram fits your privacy obligations, avoid storing real secrets in LaunchAgent plists, and be aware that approving or retrying a reply may delete and replace an existing public App Store response.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly uses powerful capabilities including environment secret access, local file read/write, network access, and shell execution, but it does not declare permissions or present those capabilities explicitly as a consent boundary. That makes it harder for a user or platform to evaluate what the skill can do, and increases the risk of over-privileged execution with sensitive API keys and local data.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The command 'add app MyApp 1234567890' directs the AI to modify local code or configuration inside monitor.py, which crosses from operating the skill into changing its implementation. Allowing conversational requests to rewrite code/config can introduce persistence, accidental breakage, or unauthorized scope expansion beyond review monitoring.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README clearly describes sending low-rated review content and related metadata to external services (Claude for drafting and Telegram for alerts/digests), but it does not prominently warn operators about the privacy and data-sharing implications. App reviews can contain personal data, usernames, support details, and potentially sensitive complaint context, so omission of a disclosure increases the risk of unintended third-party exposure and noncompliance with privacy expectations or policy requirements.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The listed conversational triggers are broad natural-language phrases that could be matched during ordinary discussion rather than as deliberate commands. If an agent auto-executes on phrase match, this can cause unintended review checks, queue changes, or outbound API activity without clear user intent.

Vague Triggers

Medium
Confidence
69% confidence
Finding
The trigger phrase at this location is also conversational and underspecified, making accidental invocation plausible in normal chat. In a skill that can approve, reject, or post replies, ambiguous activation increases the chance of unintended state changes or external actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes sending review text, usernames, dates, and draft replies to Telegram, which transfers potentially personal or sensitive customer content to a third-party messaging platform without any privacy warning or minimization guidance. This expands data exposure beyond App Store Connect and may create compliance and confidentiality issues.

Missing User Warnings

Low
Confidence
67% confidence
Finding
The document lists several high-value credentials and instructs users where to store them, but does not include basic secret-handling warnings such as least privilege, file permission hardening, rotation, or avoiding logging. While not an exploit by itself, this omission increases the likelihood of insecure deployment and credential leakage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code transmits raw review titles and bodies to Anthropic for clustering, but this file contains no consent, disclosure, or data-minimization controls. App reviews can contain personal data or sensitive support details, so sending them to a third-party LLM may create privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The reject and skip actions immediately make irreversible state changes with no confirmation, dry-run gate, or secondary authorization. In this skill context, that can permanently suppress responses to unhappy customer reviews, causing operational damage and lost support visibility if invoked by mistake or through automation misuse.

Session Persistence

Medium
Category
Rogue Agent
Content
<string>YOUR_CHAT_ID</string>
    </dict>
</dict>
</plist>
```

Load it:
Confidence
97% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal