ClawHub

Nomtiq

Security checks across malware telemetry and agentic risk

Overview

Nomtiq mostly behaves like a restaurant recommender, but it also bundles under-disclosed promotion research, community monitoring, and ongoing external sharing behavior.

Review before installing. The restaurant recommendation features are useful and mostly coherent, but the package includes marketing research files/scripts and Moltbook community-monitoring code. Keep Moltbook disabled or leave MOLTBOOK_API_KEY unset unless you want liked restaurants, areas, prices, and tags shared externally; remove or ignore the promotion and monitor scripts if you only want a local restaurant recommender.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The manifest declares environment variables, external network calls, and multiple executable scripts, but does not present a clear permission model to users despite capabilities including network, file access, and shell execution. This creates a transparency and consent gap: users may invoke a simple restaurant skill without understanding it can read/write local state and make broad outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised behavior is a lightweight restaurant recommendation tool, but the documented implementation extends into persistent profiling, companion/scene history, external publishing to Moltbook, comment-monitoring state, and competitor-data collection. That mismatch is dangerous because users and reviewers may grant trust or activate the skill under false assumptions, leading to privacy exposure and unexpected data sharing.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file logs repeated searches for 小红书/OpenClaw promotion and user-growth topics, which are outside the declared restaurant recommendation scope. In an agent skill, this kind of scope drift can indicate embedded growth-hacking or intelligence-gathering behavior that may repurpose the agent for marketing or ecosystem surveillance rather than user-serving restaurant discovery.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill content repeatedly gathers OpenClaw launch, registry, and community-promotion intelligence unrelated to finding places to eat. That broadens the skill into ecosystem reconnaissance, which is dangerous because an agent could use such instructions to profile platforms, target audiences, or distribution channels under the guise of a benign food assistant.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This content supports promotional and community-growth research workflows that are not justified by the advertised restaurant-finder functionality. While not direct code execution, such latent capability expansion increases the risk that the skill is used for covert marketing, trend harvesting, or user manipulation outside the user’s reasonable expectations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file content does not implement or document restaurant-finding behavior; instead it contains repeated promotion/search-collection notes about OpenClaw, growth, and distribution channels. This mismatch is dangerous because users and reviewers may trust the skill based on its manifest while hidden non-functional or promotional content occupies the package, indicating possible deceptive packaging, review evasion, or preparation for later bait-and-switch changes.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file is clearly a promotion/market-research log focused on OpenClaw skill launches, community discovery, and user-growth topics rather than restaurant recommendation behavior. In a restaurant-finding skill, hidden off-purpose content materially increases the risk of deceptive scope, repurposing of the agent for marketing workflows, and unexpected data handling or user-manipulation behavior.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The content includes research into promotion, community growth, and Xiaohongshu/OpenClaw marketing expansion, which is unrelated to helping users decide where to eat. That mismatch can enable covert prompt steering or operational drift, where the skill begins optimizing for promotion or audience growth rather than user-serving restaurant recommendations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file is a repeated promotion/research log about OpenClaw skill launches, community growth, and social-media推广 rather than restaurant recommendation behavior. That mismatch expands the skill's effective scope into marketing-intelligence collection, which can be abused for unrelated outreach, spam planning, or covert growth operations under the cover of a benign food-discovery skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The content shows sustained capability for launch/promotion research, competitor/community discovery, and Chinese social-growth scouting, none of which is justified by a restaurant-finder skill. In context, this is dangerous because it gives a seemingly harmless consumer skill access to workflows useful for social-platform manipulation and targeted promotion, increasing the risk of deceptive or unauthorized marketing use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file appears to contain promotion and market-research notes rather than logic or content supporting a restaurant recommendation skill. The mismatch increases supply-chain and trust risk because users and reviewers may believe the skill is scoped to food discovery while it embeds unrelated growth-research material, including promotion-adjacent content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The collected material focuses on launch promotion, user growth, and social-platform expansion rather than restaurant finding. In a consumer-facing skill, unrelated intelligence gathering can indicate hidden objectives, prompt drift, or future repurposing toward spammy promotion workflows, which broadens the attack and abuse surface.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script collects marketing and competitor intelligence unrelated to the stated restaurant recommendation purpose of the skill, indicating hidden secondary behavior. Even if not directly exploitable for code execution, undisclosed off-purpose data collection expands the skill's behavioral scope and can violate user and platform trust expectations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill manifest presents this as a restaurant-finding/recommendation tool, but this code can publish reviews to an external Moltbook service. That creates a capability mismatch: a user invoking a recommendation skill may not expect outbound posting or use of an external account, which can lead to unintended data disclosure or unauthorized actions under the agent's credentials.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code accesses an API credential to perform authenticated operations against an external service even though the stated skill purpose is recommendations. In this context, using a secret for undeclared account operations increases the risk of hidden external actions and broadens the trust boundary beyond what users would reasonably expect.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file header and CLI usage clearly show this script is for monitoring Moltbook posts and managing reply cadence, which is unrelated to the declared restaurant recommendation function of the skill. This hidden capability indicates deceptive scope and could enable covert social-media automation under the guise of a benign consumer assistant.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script fetches comments, identifies unanswered users, and outputs actions for when to reply, which is an engagement automation workflow rather than restaurant discovery logic. In the context of this skill, that mismatch is dangerous because it suggests concealed behavioral automation that could be used for spam, manipulation, or unauthorized account activity.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Reading a Moltbook API key and using it to access a third-party social platform is inconsistent with the declared restaurant-finding purpose, strengthening evidence of hidden, undeclared capabilities. The danger comes less from the environment lookup itself and more from acquiring privileged platform access for functionality users would not reasonably expect from this skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When a user marks a restaurant as liked and a stored flag is enabled, the code automatically launches another script to post restaurant-related data to an external Moltbook service. This creates an undocumented data-sharing pathway beyond local taste-profile management, which is especially concerning in a restaurant recommendation skill because user preferences, habits, and frequented areas are behaviorally sensitive data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code spawns a background subprocess to perform posting to another component, giving the skill an outbound action path not necessary for simple profile storage and analysis. In this context, hidden background execution makes it harder for users and reviewers to notice when personal preference data is being transmitted or processed outside the main workflow.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The file expands from map lookup into social-media cross-verification and sentiment scoring, causing additional external data collection and profiling behavior that is not obvious from the core map-search function. In a restaurant recommender skill, this broader data flow is risky because it can transmit user-derived interests and locations to extra services without clear need or notice.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill launches an external helper process to search social-media pages, which broadens capability beyond straightforward restaurant lookup and introduces an additional trust boundary. That is dangerous because the helper may have its own network behavior, logging, or parsing weaknesses, and the user is not clearly told that their query context will be sent through another tool.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The file advertises Serper API usage, but the executed path actually launches a local helper script in a hard-coded workspace. That mismatch can hide the true execution boundary from reviewers and operators, making it easier for a skill to invoke unexpected local components with different security properties than the documentation suggests.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The onboarding flow is triggered by common dining phrases such as '找餐厅', '吃什么', and '附近有什么好吃的', which are also normal user requests for immediate recommendations. This can cause the agent to enter profile-collection mode when the user only wanted a one-off answer, leading to unnecessary data collection and unexpected state changes.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The 饭票模式 trigger includes vague phrases like '和她吃饭' and '两个人的饭', which can match ordinary conversational requests rather than a deliberate mode switch. Because this mode changes behavior and may collect companion preference data, ambiguous activation increases the risk of unintended sensitive-data handling and incorrect recommendation flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal