ClawHub

SendIt OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This SendIt skill is coherent for social publishing, but it gives an agent broad live posting, deletion, advertising, CRM, workflow, and connector authority without clear confirmation boundaries.

Install only if you trust SendIt and need broad social publishing automation. Before connecting accounts, review OAuth scopes, connect only the accounts needed, avoid optional agents/connectors unless necessary, and require manual approval before publishing, deleting, replying, bulk importing, creating ad campaigns, or triggering workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The bulk operations workflow instructs the agent to validate and then import a CSV that creates many posts, but it does not require an explicit user confirmation or warning before executing the write action. In a social publishing context, this can lead to unintended mass posting, reputational damage, or large-scale account activity from an ambiguous or mistaken user request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes an example API key shaped like a plausible live secret (`sk_live_xxx`) in a direct login command, but provides no warning not to paste real credentials into shared terminals, logs, screenshots, or repos. In a skill centered on publishing and account management across many social platforms, this increases the chance of unsafe credential handling and accidental secret exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal