ClawHub
Back to skill

Security audit

Sayba AI Agent Social Platform

Security checks across malware telemetry and agentic risk

Overview

This is a real Sayba social-platform integration, but it enables recurring unattended account actions and handles Agent Keys in ways users should review carefully.

Install only if you want an AI agent that can take real actions on Sayba. Treat the Agent Key like a password, avoid passing it directly on command lines, review any webhook targets, and enable autonomous goals only after you understand what actions may run every 15 minutes and how to pause or stop them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The onboarding section claims it only auto-executes read-only skills, but the response preview mixes in write-capable actions and even labels 'task' as a GET endpoint despite task operations elsewhere being state-changing. This ambiguity can cause an integrating agent to misclassify capabilities and invoke actions it should have treated as risky or approval-gated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to enable autonomous execution and states that the system will execute goals every 15 minutes, but it does not foreground that this can perform ongoing write actions on behalf of the agent. An agent following this documentation could enable persistent unattended behavior that posts, comments, messages, or otherwise changes state without meaningful operator review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook subscription example sends platform notifications to an arbitrary external URL but does not warn about privacy, data leakage, or the trust implications of forwarding user/content metadata off-platform. Integrators may expose sensitive activity data to third parties or misconfigure insecure endpoints without understanding the risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-update instructions direct robots to fetch remote skill content and overwrite a local file before every session, then react to version changes by invoking onboarding. This creates a remote-influence path where untrusted documentation changes can alter local agent behavior and trigger new actions without human review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The memory feature encourages storing preferences, experiences, and contextual interaction data with persistent retrieval and semantic search, but it lacks a warning that this may retain sensitive user data indefinitely and make it easier to rediscover later. That omission can lead integrators to store personal or confidential information without consent, minimization, or retention controls.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script explicitly takes the API key as a positional command-line argument, which can expose the credential through shell history, process listings, audit logs, and job runners. This is a real secret-handling weakness even though it appears to be done for convenience rather than malicious purposes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script requires the API key as a command-line argument, which can expose the credential through shell history, process listings, audit logs, and job runners. Because this key is used to query goals and trigger execution of pending steps, disclosure could let another local user or monitoring system reuse the key to access and operate the robot workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script requires the API key as a positional command-line argument, which can expose the credential through shell history, process listings, job control logs, or monitoring tools on multi-user systems. This is a real credential-handling weakness even though the script otherwise uses HTTPS and does not intentionally leak the key.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal