WotoHub Automation

Security checks across malware telemetry and agentic risk

Overview

This is a real outreach automation skill, but it needs Review because it can send emails, read inbox data, create scheduled jobs, and run locally configured bridge commands with broad access.

Install only if you intend to let this skill use a WotoHub credential that can send outreach and read inbox data. Keep bridge executor settings and brief files trusted, leave TLS verification enabled, review scheduled_send and safe_auto_send policies before running scheduled cycles, and enable createCron only when you want persistent campaign automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (36)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for key, value in (env_overrides or {}).items(): env[str(key)] = str(value) completed = subprocess.run( command, cwd=cwd, env=env,
Confidence: 94% confidence
Finding: completed = subprocess.run( command, cwd=cwd, env=env, capture_output=True, text=True, timeo

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for key, value in (env_overrides or {}).items(): env[str(key)] = str(value) completed = subprocess.run( command, cwd=cwd, env=env,
Confidence: 93% confidence
Finding: completed = subprocess.run( command, cwd=cwd, env=env, capture_output=True, text=True, timeo

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: backend_args = shlex.split(backend_cmd) completed = subprocess.run( backend_args, input=json.dumps(payload, ensure_ascii=False), text=True,
Confidence: 98% confidence
Finding: completed = subprocess.run( backend_args, input=json.dumps(payload, ensure_ascii=False), text=True, capture_output=True,

Tainted flow: 'backend_args' from os.environ.get (line 325, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: try: backend_args = shlex.split(backend_cmd) completed = subprocess.run( backend_args, input=json.dumps(payload, ensure_ascii=False), text=True,
Confidence: 99% confidence
Finding: completed = subprocess.run( backend_args, input=json.dumps(payload, ensure_ascii=False), text=True, capture_output=True,

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script explicitly accepts user-supplied host bridge executor configuration via command-line arguments and passes it into CampaignRunner, where it is intended to trigger external execution. Even though this may be designed as a production integration feature, it creates a command-execution extension point that can be abused if untrusted users, jobs, or upstream systems can influence these arguments or the JSON/config they reference. In an automation skill that handles scheduled outreach and reply flows, this materially increases risk because cron/orchestrator contexts often run with privileged environment access and API tokens.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code intentionally supports host bridge executors that can be specified dynamically and then run as external commands. Because these executor specs can come from `config`, `brief`, scheduler fields, or environment variables, the skill becomes a generic command-execution bridge rather than a narrowly scoped automation component.

Context-Inappropriate Capability

Medium

Confidence: 75% confidence
Finding: This skill includes functionality to create OpenClaw cron jobs via a local CLI, extending the skill from outreach automation into persistent task scheduling and agent-turn execution. That broader capability increases blast radius because a user invoking campaign creation may unintentionally grant the skill a persistence mechanism that can continue acting after the original interaction.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The code silently pulls WotoHub and OpenClaw credentials from environment variables, which expands the skill's privilege beyond what a user may expect from normal outreach automation inputs. In agent environments, ambient credentials can let the skill perform authenticated operations without transparent user consent or scoping.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The code behavior contradicts the safety comment: when `requested == "manual_send"` and `review_required=False` is explicitly supplied, `requires_review` becomes false while `execute_send` remains true, allowing immediate send execution. In an outreach automation skill, this mismatch can mislead operators or upstream components into believing manual mode is safe-by-default when it can actually transmit emails automatically.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The initial summary states the engine 'does not silently send them,' but later the function calls `send_batch(...)` automatically whenever policy permits and review is not required. This misleading status text can cause unsafe operational assumptions, especially in autonomous campaign workflows where humans rely on summaries and notes to understand whether network actions occurred.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code explicitly allows TLS certificate validation and hostname checking to be disabled via WOTOHUB_VERIFY_TLS. If this flag is turned off, API keys and request/response data can be intercepted or modified by a man-in-the-middle, which is especially dangerous here because this skill handles authenticated inbox, send, and reply operations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This code gives the skill a broad, host-configurable ability to execute arbitrary external programs for analysis and drafting, which exceeds normal outreach orchestration behavior. Because the executor can be configured dynamically and receives rich request payloads, the feature can be abused for arbitrary code execution, data exfiltration, or lateral movement if deployment controls are weak.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This module's stated purpose is semantic helpers, but it can execute any external command specified in an environment variable and feeds it JSON payload input. That creates an unjustified arbitrary execution hook inside a high-level automation component, which can be abused for remote code execution, persistence, secret theft, or covert data exfiltration if the environment is compromised.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill accepts a request-controlled `briefPath` and reads that path directly from the local filesystem with `Path(brief_path).read_text(...)` and no validation, sandboxing, or allowlist. This creates an arbitrary file read primitive within the skill process, which can expose sensitive local JSON/config files or internal data unrelated to the stated outreach automation purpose.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The campaign API accepts a user-controlled briefPath and directly reads that path from the local filesystem with Path(brief_path).read_text(...), with no path restriction, allowlist, or sandboxing. An attacker who can invoke this API can use it to read arbitrary JSON-readable local files, which is especially concerning in an automation skill that may run with access to campaign data, secrets, or system files in the host environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The bridge executor capability is not just a transparency issue; it creates a hidden execution surface where the skill can launch external programs based on runtime configuration. In an agent skill context, lack of clear disclosure increases the likelihood that operators will unknowingly grant a component the ability to execute local commands and access local resources.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code writes the full bridge payload to a temporary JSON file, and that payload may include `rawInput`, `brief`, campaign details, and selected creator/product context. Even though a temporary directory is used, this persists potentially sensitive campaign and communication data to disk where it may be exposed through local compromise, debugging artifacts, backups, or misconfigured temp-file permissions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Accessing sensitive credentials from environment variables without user-facing disclosure creates a consent and transparency problem. In a shared or agentic runtime, users may not realize the skill can leverage preloaded secrets to query APIs or monitor campaigns on their behalf.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill can launch an external CLI to create persistent cron jobs without any user-facing warning or confirmation in this execution path. That is dangerous because it enables durable automation and future agent turns, which materially changes the security and operational impact of using the skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The engine records creators as contacted before execute_outreach_send confirms whether any outreach was actually sent. This can suppress future contact attempts via exclude_blogger_ids and corrupt campaign state, causing silent delivery gaps, missed outreach, and inaccurate audit/history data. In an automation skill that makes send/block decisions across cycles, this state inconsistency is operationally significant.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: `to_campaign_create_input` includes `semanticContext: ctx`, forwarding the entire upstream context wholesale into the campaign payload. In an automation skill handling outreach and inbox workflows, this can propagate unnecessary sensitive data, hidden metadata, or prompt-derived artifacts to downstream components or external APIs, increasing the risk of over-sharing, privacy leakage, and confused-deputy behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script retrieves inbox email details and then writes the resulting preview data, including message subjects, content, blogger identifiers, and generated reply bodies, directly to stdout or a file. In an automation skill handling influencer outreach, this can expose sensitive correspondence to logs, terminals, CI systems, or shared files without any consent gate, minimization, or warning, creating a real confidentiality risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: In auto_reply mode, this file can trigger sending reply previews automatically once certain model-analysis conditions are met, without any explicit human confirmation step in the control flow here. In an outreach/inbox automation skill, that creates a real risk of unintended external communications, reputation damage, and policy-violating bulk replies if classification or preview generation is wrong.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The orchestrator serializes raw user input and semantic context to temporary JSON files and forwards them to external executors without any consent, minimization, or trust validation. If those payloads contain sensitive business data, product details, campaign identifiers, or creator information, they can be exposed to untrusted local processes or retained by external tooling beyond the intended scope.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: External commands may be launched solely because configuration or environment variables specify an executor, with no explicit disclosure or operator confirmation in the application flow. In this skill context, that is more dangerous because the orchestrator is expected to perform outreach automation, not silently extend itself into arbitrary local command execution and external bridging.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal