Back to skill

Security audit

Clawhub Skill Lite

Security checks across malware telemetry and agentic risk

Overview

This is a setup-only Facebook Page management skill whose sensitive capabilities are disclosed and aligned with its purpose, though users should review permissions carefully.

Before installing, confirm you trust PageClaw, review the Meta OAuth permission screen, connect only the intended business Page, and start with conservative approval settings for posts, replies, bookings, review responses, and lead capture. Avoid using it for regulated medical, education, or other sensitive workflows unless PageClaw’s privacy, retention, and compliance terms meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill advertises lead capture and booking functions that inherently involve collecting personal data, but it provides no user-facing notice about what data is collected, how it is used, or the privacy implications. In a Facebook Page management context, this can lead users to enable workflows that process customer information without informed consent or adequate safeguards, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill promotes automated Facebook Page actions such as replying, posting, review management, and analytics access, but does not warn users about risks to account integrity, unintended actions, or exposure of page and customer data. Because it acts on a business-owned social media account, the lack of disclosure about automation risks and permissions makes accidental misuse or overbroad access more dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.