ClawHub

Grazer — 24-Platform Content Discovery

Security checks across malware telemetry and agentic risk

Overview

Grazer mostly matches its discovery-and-engagement purpose, but it needs review because it can publish through connected accounts and includes under-scoped automation, telemetry/data-flow, and credential-handling concerns.

Install only if you want a tool that can use stored account tokens to post, reply, publish, and run continuous discovery. Keep auto_respond disabled unless explicitly needed, use test accounts and dry-run where available, restrict ~/.grazer permissions, replace the default LLM URL with an HTTPS endpoint you control, and do not use the bundled ClawHub token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The security section makes a stronger claim than the rest of the document supports: credentials are shown both in persistent local config and passed directly to the SDK constructor. This inconsistency can mislead users about where secrets may reside or be exposed, weakening trust in the security model and increasing the chance of unsafe secret handling.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states the skill is read-only by default, but elsewhere advertises posting, publishing, auto-responses, and autonomous engagement. Even if some operations require explicit calls, this mismatch can cause operators to underestimate write-side effects and deploy the skill in contexts where unintended posting or publishing is risky.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The module advertises itself as a content-discovery client, but the implementation also includes posting, engagement, SEO backlink generation, and telemetry/reporting behaviors. This mismatch is security-relevant because integrators may grant network access and credentials under a narrower trust assumption than the code actually requires, increasing the chance of unintended outbound actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The SEO heartbeat and profile methods add backlink-promotion behavior unrelated to ordinary content discovery, and they can transmit agent identity, status, homepage URLs, and descriptive metadata to an external relay. In an agent skill context, this broadens the trust boundary and can be abused for covert external signaling, unwanted promotion, or exfiltration of operational metadata to a third party.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The download reporting method silently posts package, platform, version, and timestamp data to a remote tracking endpoint. Even though the payload is limited, undisclosed telemetry in a library is dangerous because it creates unexpected external communication and weakens privacy and deployment assumptions for users of the skill.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The `comment` command claims to leave a comment, but in the `clawsta` branch it calls `client.post_clawsta(args.message)`, which creates a new post instead of replying to a target. This is dangerous because automation or users expecting a scoped reply may unintentionally publish new public content, causing unintended disclosure, spam, policy violations, or action in the wrong context.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The agent can automatically generate and send responses to comments and replies whenever config.auto_respond is enabled, with no approval step, policy gate, or recipient-level controls. This enables unattended outbound actions on user-linked accounts, which can cause spam, reputation damage, harassment, or platform-policy violations if triggered by malicious or unexpected content.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The CLI's `comment` command promises to reply or comment on an existing target, but the `clawsta` branch ignores `--target` and calls `postClawsta(options.message)`, which creates a new post instead. In an agent skill context, this can cause unintended outbound actions, misleading operators and any higher-level automation into publishing content publicly when they intended to comment on an existing item.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deployment guide instructs users to publish to public package registries and submit metadata to a third-party tracker, but it does not include any warning that these actions are irreversible or externally disclose package names, repository details, and associated metadata. In an agent-executed or semi-automated context, this increases the risk of unintended public release and data exposure because the document presents networked publication steps as routine build actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly promotes autonomous discovery, auto-response, and posting behavior across external platforms, but it does not include a clear warning that the skill can modify third-party accounts or publish content automatically. In an agent-skill context, this increases the risk of operators enabling behavior that causes unintended posts, spam, reputational harm, or policy violations without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The 'Next Steps' section instructs users to enable auto_respond after testing, but it still lacks a direct warning that enabling this feature authorizes automated posting on live external services. That omission is risky because it can lead to unattended actions on public accounts with legal, operational, or reputational consequences.

Missing User Warnings

High
Confidence
99% confidence
Finding
The checklist embeds a live bearer token directly in a curl command for an external API registration request. Storing secrets in documentation is dangerous because anyone with access to the file can reuse the token to impersonate the account, register or modify resources, and potentially access associated service data or quota.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes outbound actions such as commenting, cross-posting, liking, and guestbook signing, but it does not clearly warn that these actions transmit agent-generated content to third-party services and may create privacy, spam, reputational, or policy-compliance risks. In an agent skill, this omission matters because operators may automate these write paths and unintentionally publish sensitive or inappropriate data to external platforms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The configuration example instructs users to store multiple API keys and tokens in a plaintext file under ~/.grazer/config.json without warning about secret handling, file permissions, or avoiding commits to source control. This creates a realistic credential exposure risk through world-readable files, backups, screenshots, shared home directories, or accidental repository inclusion.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README discloses that installs are reported to external download-tracking endpoints, but it does not explain what metadata is collected, whether identifiers such as IP/user-agent are logged, or how users can opt out. Underspecified telemetry can create privacy and compliance issues, especially in enterprise or regulated environments where outbound reporting from installation flows may be prohibited.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description promotes auto-responses, agent training, and an autonomous loop without prominent warnings about ongoing automated external actions. In an agent context, this is dangerous because operators may enable the skill expecting passive discovery while it can instead engage across many platforms continuously, causing spam, policy violations, or reputational damage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples include posting to 4claw and writing an SVG file, but do not explicitly warn that these actions create external side effects. In agent workflows, copy-pasted examples are often treated as safe defaults, so undocumented write behavior increases the risk of accidental posts, content generation, or filesystem changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document exposes operational deployment details, including internal/private host locations, infrastructure roles, and publication commands, without any caution around handling or disclosure. This can aid reconnaissance by revealing target systems and deployment pathways, increasing the risk of unauthorized access attempts or social engineering against the listed environments.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This telemetry call occurs without any user-facing warning, consent flow, or obvious disclosure in the module interface. In a security-sensitive agent environment, silent outbound reporting is especially risky because operators may not realize the package is contacting a third-party service, which can violate policy and leak usage patterns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function sends user-provided prompt content to a remote LLM endpoint, and the default endpoint is a hard-coded private-network HTTP URL rather than a clearly local in-process component. This creates a real data exposure risk because potentially sensitive prompt contents are transmitted off-component without encryption guarantees or any built-in disclosure/consent mechanism.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The episodes() method fetches an arbitrary feed_url with requests.get() and performs no validation of scheme, host, or destination. If an attacker can influence feed_url, this can be used for server-side request forgery against internal services or sensitive network endpoints, and the skill context increases risk because fetching remote RSS feeds is a normal behavior that could mask abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatic conversation deployment occurs solely based on a configuration flag and incoming notification type, without an in-the-moment warning, confirmation, or interactive consent. In a skill that can post publicly from connected accounts, this lack of user-facing friction materially increases the chance of unintended or unsafe outbound communication.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The notification handler logs sender identifiers and a preview of notification content directly to stdout. If logs are collected centrally, visible to other users, or stored insecurely, this can leak private communications and metadata without the user's explicit awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends the full user prompt to an arbitrary external LLM endpoint via axios.post, which can expose sensitive or private user content to third parties. In a skill context, prompts may contain secrets, internal data, or personal information, and this file provides no consent, minimization, allowlist, or indication that data leaves the local system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends download telemetry to an external endpoint without any disclosure, consent, or opt-in/opt-out control in this file. In an agent skill context, silent outbound reporting can violate privacy expectations, create compliance issues, and expose installation metadata to a third party even if the payload is limited.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal