ClawHub

LINE Chat for Official Account

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate LINE Official Account automation skill, but it can read customer chats, send live replies, and forward customer images outside LINE without strong confirmation or data-handling safeguards.

Review this carefully before installing for a real LINE Official Account. Use it only for accounts where the agent is allowed to see customer messages, supervise or require confirmation before sending replies or changing notes/tags, avoid forwarding customer images unless there is a clear business need, and log out or stop the OpenClaw browser service when you no longer want the session available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill goes beyond managing LINE OA chats and explicitly instructs the agent to download customer-sent images to local disk and forward them to another user. That expands the data flow from in-app handling to local storage and external retransmission, creating a real privacy and data-exfiltration risk for customer content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Using host shell execution to inspect ~/Downloads is not necessary for ordinary browser-based LINE OA management and introduces broader host access than the skill description suggests. Even though the example is narrow, it normalizes shell access and filesystem probing in a customer-messaging workflow, increasing attack surface and the chance of unintended local data exposure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The suggested invocation phrases are broad enough that an agent may activate this skill for generic requests like checking or replying to LINE messages without making the privacy-sensitive nature of the action explicit. Because this skill reads and sends customer communications in a business messaging interface, accidental invocation could expose private conversations or cause unintended outbound replies.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes message checking and customer replies but does not clearly warn that the skill accesses privacy-sensitive customer communications and can perform external actions on the user's behalf. In a browser-automation context, lack of disclosure increases the chance that operators invoke the skill without understanding that it can read confidential chats, view account data, and send live responses to customers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill provides direct instructions to send customer replies but does not require a confirmation step before transmitting a message. In a browser automation context, that can cause accidental or unauthorized outbound communication to real customers, with business, reputational, and compliance consequences.

Ssd 3

High
Confidence
97% confidence
Finding
The skill instructs the agent to extract customer chat content and send downloaded customer images back to a user in plain language, which is a direct cross-boundary disclosure of potentially sensitive third-party data. In the context of a customer support system, this materially increases the risk of privacy violations, unauthorized sharing, and mishandling of personal information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal