ClawHub

Itinerary Carousel Post Topaz

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can use account credentials to publicly publish content and change a GitHub repository without a clear final approval step.

Install only if you control the target Instagram account and GitHub repository, understand that images and captions will be sent to Topaz/GitHub/Instagram, and are prepared to review every generated slide and caption before allowing any git push or Instagram publish command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly retrieves a Topaz API key from the macOS Keychain and uses it in automated network requests. Direct credential access inside a reusable skill is dangerous because it allows the skill to operate with ambient authority without an explicit approval boundary, and any prompt/parameter abuse could trigger unauthorized external actions under stored credentials.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs copying generated files into a local repository and pushing them to a remote as part of normal execution. This creates a write-capable supply-chain action outside the skill workspace, so a compromised or mis-parameterized run could overwrite repository content, leak data publicly, or create unintended commits and pushes.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The cleanup step deletes files from an external repository and pushes that deletion upstream. Destructive repository operations are risky in an agent skill because path mistakes, glob expansion, or malicious parameter influence can remove legitimate assets and permanently alter remote state.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill automates creation and publication of Instagram content through the Graph API with no explicit human approval step before posting. Publishing to a live brand or personal account is a sensitive side effect; accidental or manipulated inputs could result in reputational harm, spam, or unauthorized public communications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow uploads images to Topaz Labs and later sends media and captions to other third-party services, but it does not warn the user that content will leave the local environment. This is risky because images, itinerary details, and generated captions may contain copyrighted, private, or commercially sensitive material that users did not consent to share externally.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The reference shows `access_token={token}` directly in example requests without any accompanying warning about secret handling, which can normalize pasting real tokens into shell history, logs, screenshots, or shared docs. In an automation skill that publishes to Instagram, these tokens authorize posting actions, so accidental exposure could let an attacker publish content or query account data until the token expires.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal