ClawHub

Xanadu Social Media Manager

Security checks across malware telemetry and agentic risk

Overview

The social media tools mostly fit the stated purpose, but the package includes preconfigured payment code with an exposed billing key and a charge function that needs review before installation.

Review this skill before installing. The social scheduling and analytics pieces look ordinary, but remove or disable the bundled SkillPay files unless you explicitly want monetization, rotate the exposed SkillPay key if it is real, and require clear user confirmation before any billing call. Use least-privilege social platform tokens and store queued drafts only in a private project directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and demonstrates capabilities that require sensitive operations such as network access, environment-variable access, and likely file I/O, but it does not declare any permissions. This creates a transparency and trust problem: a user or platform may invoke the skill without realizing it can access secrets, call external APIs, or modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill is presented primarily as a social media management tool, but it also includes billing functionality through an external payment service. Even though monetization is described as optional, coupling payment operations with a content-management skill expands the trust boundary and can enable unexpected charges, external data sharing, or usage tracking beyond what the description leads users to expect.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements payment and charging behavior even though the skill is described as a social media management capability. Out-of-scope billing logic is risky because it can monetize or exfiltrate user/account data through an unrelated path that users and reviewers would not reasonably expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code pulls a billing API key from local config or environment for a capability not justified by the declared social media purpose. Accessing secrets for an undisclosed payment integration increases the risk of hidden monetization behavior and expands the blast radius if the skill or host environment is compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The charge request transmits user_id, amount, skill_id, and the billing API key to an external service without any evidence in this file of user notice, consent, or disclosure. In the context of a social media manager, hidden payment processing is especially dangerous because users would not reasonably expect their identifiers to be sent to a third-party billing endpoint.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A live-looking API secret is hardcoded directly in the source file, which means anyone with repository, package, log, or deployment artifact access can recover it and use the billing account without authorization. In a skill that may be distributed or reviewed by others, this is especially dangerous because the key can be copied silently and abused for fraudulent charges, account takeover of the payment integration, or lateral access depending on the API's privileges.

External Transmission

Medium
Category
Data Exfiltration
Content
amount = amount or DEFAULT_PRICE
        
        try:
            response = requests.post(
                f"{self.base_url}/charge",
                json={
                    "api_key": self.api_key,
Confidence
87% confidence
Finding
requests.post( f"{self.base_url}/charge", json=

Env Variable Harvesting

High
Category
Data Exfiltration
Content
try:
    from billing_config import SKILLPAY_API_KEY, SKILL_ID, DEFAULT_PRICE, OWNER_WALLET
except ImportError:
    SKILLPAY_API_KEY = os.environ.get("SKILLPAY_API_KEY")
    SKILL_ID = "xanadu-social-manager"
    DEFAULT_PRICE = 0.001
    OWNER_WALLET = None
Confidence
88% confidence
Finding
os.environ.get("SKILLPAY_API_KEY

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal