ClawHub

Haitivirtualbanks

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a private Instagram data archive packaged as a banking-named skill, not a functional skill, so installing it could expose sensitive personal data.

Do not install this as a normal skill. It has no meaningful skill instructions and appears to bundle a private Instagram export unrelated to its stated name. If you are the publisher, remove the personal data and republish only the intended skill files with a clear description.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
High
What this means

A user installing the skill may receive someone’s private social-media archive rather than a useful skill, creating privacy and provenance risk.

Why it was flagged

The bundle contains a large Instagram data export, including messages, security/login records, and media, despite being described only as a virtual-banks skill.

Skill content
74 file(s): start_here.html ... your_instagram_activity/messages/secret_conversations.html ... security_and_login_information/login_and_profile_creation/login_activity.html ... media/stories/202602/17867948901559481.mp4
Recommendation

Do not install unless you intentionally want to inspect this archive. The publisher should remove unrelated personal data and publish only necessary skill instructions/files with a clear description.

#
ASI06: Memory and Context Poisoning
High
What this means

Private messages, location information, account activity, and device details could be read, summarized, or shared unintentionally by an agent using the installed bundle.

Why it was flagged

The bundled files include persistent private account, device, location, and message data that could be exposed to the agent context or reused in later interactions.

Skill content
personal_information/device_information/devices.html; personal_information/information_about_you/locations_of_interest.html; your_instagram_activity/messages/inbox/.../message_1.html; security_and_login_information/login_and_profile_creation/last_known_location.html
Recommendation

Treat the package as sensitive personal data. Avoid installing it, and remove or redact the archive if this was an accidental upload.

#
ASI09: Human-Agent Trust Exploitation
Medium
What this means

Users may trust and install a skill that appears to be about banks while unknowingly adding a sensitive Instagram archive to their environment.

Why it was flagged

The skill description gives no notice that the package contains Instagram personal data, making the bundle materially different from what a user would expect.

Skill content
# Haitivirtualbanks

btccitahaitivirtualbanks
Recommendation

Require a clear, accurate description before installation and verify that the package contents match the stated purpose.