ClawHub

Google Blogger

Security checks across malware telemetry and agentic risk

Overview

This is a real Blogger management skill, but it includes under-disclosed TechRex-specific bulk publishing and local file-generation scripts that can change public blog content and files outside the skill’s normal scope.

Install only if you intend to give the assistant Blogger account authority. Use the main gblog.py commands for normal Blogger work, protect and revoke the Google OAuth token when finished, and avoid running gblog-bulk-post.py, update-blogger-full.py, or the generate-* scripts unless you have reviewed the TechRex paths, generated HTML, target blog ID, and exact posts to be changed. Prefer draft mode and explicit per-post review for any publishing workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script is hard-wired to read content and metadata from a separate TechRex website workspace under the user's home directory, which exceeds the stated generic Blogger CLI scope. This creates an unintended capability boundary violation: anyone invoking the skill can cause it to access and publish local repository content that is unrelated to normal Blogger management, increasing the risk of accidental data exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The optional --update-json path rewrites posts.json in an external website repository, giving the skill write access beyond Blogger API operations. Even if intended for workflow convenience, this expands the tool from blog management into modification of unrelated local project state, which can corrupt metadata, alter deployment inputs, or be abused to tamper with another repository's content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script writes generated HTML into a hard-coded path under a local workspace unrelated to the declared Blogger credential/configuration path. This is dangerous because running the skill can unexpectedly modify files in a specific user directory, causing unintended content tampering or corruption in an external website repository if that path exists on the host.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script's behavior does not match the skill's declared purpose of managing Blogger posts through the Blogger API. Instead, it writes HTML files into a local website content tree under the user's home directory, which creates an undeclared file-system side effect and could modify unrelated local content if the skill is invoked in a trusted automation context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Writing into ~/.openclaw/workspace/techrex-website/content/blog/blogger-html-full is an unrelated local project path not justified by the skill's stated Blogger-management function. In an agent setting, this makes the skill more dangerous because a user may grant it Blogger privileges while it also silently alters local website content, violating least surprise and least privilege.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script performs local static HTML generation for a TechRex website under a hidden workspace path, which is outside the declared Blogger-management purpose of the skill. Even though it is not overtly destructive, undeclared side-effecting functionality can mislead operators, write unexpected files to the host filesystem, and indicate the skill package includes unrelated code that could be used to smuggle additional behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code behavior does not match the skill's stated purpose: instead of interacting with the Blogger API, it reads a local posts.json file and writes HTML files to a local website directory. This mismatch is dangerous because security review, permission expectations, and user trust are based on the manifest; hidden or unrelated behavior increases the risk of unauthorized filesystem modification and can mask more harmful supply-chain activity.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script's behavior materially differs from the skill manifest: instead of managing Blogger posts through the Blogger API, it reads local project data, fetches YouTube transcripts, generates content, and writes HTML files into a workspace. This kind of scope mismatch is dangerous because users may grant trust and credentials based on the declared Blogger-management purpose while the code performs unrelated content-generation and file-writing actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Invoking an external oracle CLI introduces a new execution and data-exfiltration path not justified by the stated Blogger-management functionality. In this skill context, that makes the behavior more suspicious because transcript and post metadata are being sent to another tool/service outside the advertised trust boundary.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Fetching YouTube transcripts to synthesize blog posts is outside the manifest's stated scope of Blogger post management, editing, listing, deletion, scheduling, and monitoring. This discrepancy increases risk because the skill performs network data collection and content transformation that a user would not reasonably expect from the description.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README promotes bulk publishing and monitoring operations against an external Blogger account without clearly warning users about potentially irreversible content changes, API activity, or rate-limit effects. In an AI-agent context, this increases the risk of unintended mass posting, persistent polling, or accidental modification of user data if actions are triggered too broadly or without adequate confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation presents a delete command without any warning, dry-run guidance, or confirmation expectation. In a content-management skill, this increases the chance of accidental destructive actions against live blog posts, especially when users may copy commands directly from examples.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents storing OAuth credentials and refresh tokens locally but provides no security or privacy guidance about protecting those files. Because refresh tokens can grant ongoing access to Blogger accounts, weak handling or permissive filesystem access could enable account compromise or unauthorized publishing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Transcript content is collected and later sent to an external oracle CLI without any user-facing disclosure, consent, or data-handling notice. This is risky because transcripts may contain sensitive or proprietary material, and the skill context does not prepare the user for third-party processing beyond Blogger management.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script performs unattended bulk updates to live Blogger posts using local content and hard-coded blog identifiers, but provides no interactive confirmation, dry-run mode, or scope validation before making irreversible remote changes. In the context of a blog-management skill, mass modification is expected functionality, but the lack of guardrails increases the risk of accidental defacement, publishing mistakes, or misuse if the script is invoked in the wrong environment or with compromised inputs.

Ssd 1

Medium
Confidence
95% confidence
Finding
Untrusted transcript text is embedded directly into the LLM prompt, allowing content from the video transcript to semantically steer or override the generation instructions. Because the generated HTML is later written to disk and may be published, a malicious transcript could induce unwanted content, hidden prompts, spam, policy bypasses, or unsafe HTML generation through indirect prompt injection.

Ssd 1

Medium
Confidence
95% confidence
Finding
The alternate prompt path has the same core flaw: raw transcript content is inlined into instructions for an external model, enabling prompt injection from the transcript itself. In this context the risk is heightened because the resulting content is trusted enough to be wrapped as publishable blog HTML without robust validation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal