ClawHub

Publora Mastodon

Security checks across malware telemetry and agentic risk

Overview

This is a focused Mastodon posting helper for Publora, with the main risk being ordinary public posting through a third-party API.

Install only if you want your agent to post or schedule Mastodon content through Publora. Treat the Publora API key as sensitive, review text and media before sending, avoid posting secrets or private personal data, and remember that published Mastodon content may become public and federated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill provides ready-to-use examples that send post content and media to Publora/Mastodon but does not include any explicit warning that user text, images, and metadata will be transmitted to an external third-party service. In an agent setting, this can cause unintended disclosure of sensitive or private user content because the examples normalize external posting without requiring clear user confirmation or notice.

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' }

# Step 1: Create post
post = requests.post('https://api.publora.com/api/v1/create-post', headers=HEADERS, json={
    'content': 'Here is a photo from our event 📷 #community',
    'platforms': ['mastodon-123456789']
}).json()
Confidence
84% confidence
Finding
requests.post('https://

External Transmission

Medium
Category
Data Exfiltration
Content
}).json()

# Step 2: Get upload URL (up to 16 MB, JPEG/PNG/GIF/WebP)
upload = requests.post('https://api.publora.com/api/v1/get-upload-url', headers=HEADERS, json={
    'postGroupId': post['postGroupId'],
    'fileName': 'photo.jpg',
    'contentType': 'image/jpeg',
Confidence
83% confidence
Finding
requests.post('https://

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' }

# Step 1: Create post
post = requests.post('https://api.publora.com/api/v1/create-post', headers=HEADERS, json={
    'content': 'Here is a photo from our event 📷 #community',
    'platforms': ['mastodon-123456789']
}).json()
Confidence
84% confidence
Finding
requests.post('https://api.publora.com/api/v1/create-post', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
}).json()

# Step 2: Get upload URL (up to 16 MB, JPEG/PNG/GIF/WebP)
upload = requests.post('https://api.publora.com/api/v1/get-upload-url', headers=HEADERS, json={
    'postGroupId': post['postGroupId'],
    'fileName': 'photo.jpg',
    'contentType': 'image/jpeg',
Confidence
83% confidence
Finding
requests.post('https://api.publora.com/api/v1/get-upload-url', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
## Post a Toot (text)

```javascript
await fetch('https://api.publora.com/api/v1/create-post', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' },
  body: JSON.stringify({
Confidence
85% confidence
Finding
fetch('https://api.publora.com/api/v1/create-post', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
## Post a Toot (text)

```javascript
await fetch('https://api.publora.com/api/v1/create-post', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' },
  body: JSON.stringify({
Confidence
85% confidence
Finding
https://api.publora.com/

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' }

# Step 1: Create post
post = requests.post('https://api.publora.com/api/v1/create-post', headers=HEADERS, json={
    'content': 'Here is a photo from our event 📷 #community',
    'platforms': ['mastodon-123456789']
}).json()
Confidence
84% confidence
Finding
https://api.publora.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}).json()

# Step 2: Get upload URL (up to 16 MB, JPEG/PNG/GIF/WebP)
upload = requests.post('https://api.publora.com/api/v1/get-upload-url', headers=HEADERS, json={
    'postGroupId': post['postGroupId'],
    'fileName': 'photo.jpg',
    'contentType': 'image/jpeg',
Confidence
83% confidence
Finding
https://api.publora.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal