ClawHub

Influencer Report

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it needs review because the profile workflow can produce an influencer report from unrelated videos.

Review before installing if you rely on profile-based reports for brand-safety or business decisions. Prefer direct video URLs, verify that analyzed videos belong to the intended creator, use scoped Memories.ai API keys, and do not submit private or sensitive targets unless you are comfortable with Memories.ai processing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
In the profile-based flow, the script scrapes a requested creator profile but then analyzes videos from the entire V1 library and generic search results, without verifying that those videos belong to the requested handle/profile. This can produce a misleading vetting report about one influencer using unrelated creators' content, creating a serious integrity failure in a security/safety decision workflow.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description uses broad trigger terms like 'vet, analyze, or review an influencer/creator,' which can match many ordinary user requests and invoke the skill unexpectedly. Over-broad activation increases the chance that user-provided URLs or sensitive research tasks are routed to this skill and then transmitted to external APIs without the user realizing it.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill lacks a clear warning that creator profile URLs, video URLs, and derived analysis are sent to external Memories.ai APIs for scraping, transcript analysis, and metadata retrieval. This is dangerous because users may unknowingly cause third-party disclosure of targets, research subjects, or proprietary campaign evaluation workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends user-supplied profile URLs and video URLs to third-party Memories.ai endpoints, but provides no explicit disclosure or confirmation at the point of use. In an agent skill context, this matters because users may assume local analysis while the tool is actually transmitting potentially sensitive targets and research intent to an external service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal