ClawHub

Clawhub Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Citedy marketing integration, but it gives an agent broad power to spend credits, publish publicly, delete content, and run recurring automation without consistently requiring explicit confirmation.

Install only if you trust Citedy with the connected marketing, social, search, and content accounts. Before use, require explicit approval for public posts, recurring sessions, paid generation, webhook changes, deletes, settings changes, and API key rotation; set spend and cadence limits; confirm connected accounts; and know how to pause sessions and revoke the key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs execution of a local Node.js script during setup, which expands the attack surface from simple API usage to arbitrary local code execution. Because skill content is untrusted and the script contents are not shown or constrained here, this creates an unnecessary path to executing attacker-controlled or supply-chain-compromised code on the user's machine.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The keep-alive instruction directs the agent to make periodic autonomous calls unrelated to an immediate user task, creating persistence-like behavior and ongoing external communication. While low severity, this can normalize background activity, leak metadata over time, and consume rate limits or credits in a way the user did not explicitly request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes auto-publishing and recurring automation to connected social/media accounts without a prominent requirement for explicit user confirmation before publishing. In this context, the capability is particularly sensitive because it can cause unintended public posts or brand-impacting actions on external accounts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The autopilot endpoint defaults to immediate article publication unless auto_publish is disabled, yet the skill does not require a strong user-facing warning before invoking that default. This creates a meaningful risk of unintended publication of generated content, especially in an agent setting where users may expect generation but not public release.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents permanent deletion of articles and associated files without requiring explicit confirmation or a pre-action warning. Destructive operations are sensitive because a mistaken or injected request could irreversibly remove published content and media with no refund or easy recovery path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal