ClawHub

Mallary Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is for real social-media publishing and account management, but it gives an agent broad live posting, deletion, upload, webhook, settings, and disconnect powers without enough confirmation or secret-handling safeguards.

Install only if you are comfortable giving Mallary CLI access to connected social accounts. Use a least-privilege key if available, avoid printing or pasting real API keys into shared terminals, do not store secrets in synced dotfiles, and require explicit confirmation before any post creation, upload, delete, platform disconnect, webhook, or settings update command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (11)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to append a live API key to shell startup files, which stores a secret in plaintext in a predictable location without warning about local disclosure risks. This can expose credentials through shared accounts, backups, dotfile syncing, screen sharing, shell-history mistakes during setup, or accidental publication of home-directory config files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example shows a real post creation command that can publish content to external social media accounts, but it is presented as a normal test step without a warning that it performs a state-changing action. Users or agents may execute it during evaluation and unintentionally create public posts or trigger automation against production profiles.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The troubleshooting section advises users to print the API key with `echo $MALLARY_API_KEY`, which can expose the secret on-screen, in terminal recordings, screenshots, shared sessions, or logs captured by developer tooling. While lower severity than persistent plaintext storage, it still increases the chance of accidental credential disclosure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation states that local media paths are uploaded automatically and that the CLI sends the post request, but it does not clearly warn users that selecting a local file causes data transmission to Mallary infrastructure and onward to third-party social platforms. In an agent-driven workflow, this can lead to unintended exfiltration of local files or sensitive media if an agent is induced to reference the wrong path or uses untrusted payload content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document gives concrete commands and JSON payloads for creating and uploading posts across external social platforms, including public visibility examples such as YouTube `visibility: public` and direct-post TikTok settings, without any warning that these actions can publish real content to live third-party accounts. In an agent skill context, omission of an explicit caution increases the chance that a user or autonomous agent will treat the examples as harmless test operations and unintentionally make public posts, causing reputational or operational impact.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation presents a destructive delete command with no warning, confirmation guidance, or note about permanence. In an agent or automation context, this increases the chance of accidental deletion of social content, especially if users copy commands directly or tools execute them non-interactively.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to place a long-lived API key in shell profiles without warning that shell startup files may be readable by other local users, accidentally committed, or exposed through support bundles and terminal history. For agent workflows, persistent environment-based credentials broaden blast radius because any spawned process or misconfigured automation may inherit the secret.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill documents destructive or account-affecting operations such as post deletion and platform disconnection with no strong confirmation or warning guidance. In an agent context, this increases the chance of unintended state-changing actions against social accounts, especially if the agent interprets these examples as routine operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that local files are automatically uploaded to Mallary's CDN before posting, but it does not clearly warn users that this transmits potentially sensitive local data to a third-party service. In an agent/CLI context, this increases the risk of unintended exfiltration if a user or automated workflow points the tool at the wrong file, especially because the resulting media is hosted on a public-looking URL.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to run `printenv MALLARY_API_KEY` explicitly reveals the secret in terminal output, logs, transcripts, and agent-visible tool results. In an agent workflow, that can expose the API key to the model, downstream logging systems, or anyone with access to session history, enabling unauthorized use of the connected social-media account capabilities.

Ssd 3

Medium
Confidence
93% confidence
Finding
Inlining the API key in `export MALLARY_API_KEY=your_api_key` normalizes entering secrets directly into shell history and visible command transcripts. While placeholder-based documentation is common, in an agent-operated terminal this pattern materially increases the risk that real credentials are pasted into logged or replayable contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal