ClawHub

Know Your Owner

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear profiling purpose, but it needs review because it collects and stores broad data from logged-in social accounts and auto-downloads a browser automation dependency.

Install only if you are comfortable letting an agent use your logged-in browser sessions to read and locally store broad social-account data, including likes, favorites, follows, ratings, posts, uploads, and related third-party metadata. Review or pin the ManoBrowser dependency before use, choose platforms and data categories deliberately, inspect know-your-owner-data after collection, and delete stored raw JSON/profile files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (49)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README explicitly tells an AI agent to auto-download and install ManoBrowser from GitHub on first use, expanding the skill from data profiling into code acquisition and execution. This is dangerous because it introduces a software supply-chain risk and grants the agent authority to fetch and run additional code not covered by the user’s original request.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README extends the skill to a 'general mode' for exploring and collecting data from arbitrary platforms beyond the five declared sites. That broadens the capability into a general-purpose authenticated scraper, increasing the chance of overcollection, misuse, and access to sensitive data on unintended services.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README claims the skill only collects the user's own data, but elsewhere it documents collection of following/follower-related lists and other social graph information that inherently includes third-party data. This is dangerous because it misrepresents privacy impact and may cause users or agents to authorize broader collection than they understand.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The privacy claims are materially misleading because the skill explicitly collects far more than a user's homepage, including likes, favorites, follows, ratings, and broadcasts across multiple services. Misrepresenting scope undermines informed consent and can cause users to authorize broader data collection than they intended.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill directs the agent to automatically fetch and install a third-party dependency from GitHub, introducing supply-chain risk and expanding capabilities beyond the profiling task. Auto-installing code without explicit approval or integrity verification can expose the environment to malicious or compromised upstream content.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill markets and enables general-purpose browser automation, platform exploration, and API reversing beyond the stated onboarding/profile-building purpose. That scope expansion increases the chance of unauthorized data access or secondary uses once powerful browsing tools are installed and connected.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The statement that stored data will not be used for other purposes conflicts with explicit reuse in daily conversations and by other skills. This inconsistency can mislead users about downstream processing and retention, weakening meaningful consent and increasing privacy risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The workflow performs bulk collection of highly sensitive behavioral and relationship data: full likes, favorites, and the complete follow graph. That far exceeds minimally necessary onboarding context and enables detailed profiling of private interests, habits, and associations from an already authenticated session, making misuse or overcollection especially dangerous.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The workflow explicitly harvests far more than minimal onboarding context: it extracts structured account metadata, scrolls to collect all visible posts, enumerates the full follow graph, and retrieves favorites from an authenticated Weibo session. In the context of a skill whose purpose is to build persistent USER.md and MEMORY.md profiles across multiple social platforms, this is dangerous because it enables large-scale collection of sensitive behavioral and relationship data without clear scope limitation, consent boundaries, or data-minimization controls.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The workflow deliberately injects an XHR interceptor to capture raw API responses for favorites and likes, including data not ordinarily exposed in the visible DOM. In the context of a skill explicitly designed to build a deep personal profile across logged-in social platforms, this enables covert harvesting of sensitive behavioral data and materially increases privacy and surveillance risk beyond normal page automation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill monkey-patches XMLHttpRequest to intercept raw API responses and extract structured favorites/likes data that is not limited to what is minimally needed for onboarding. This materially expands data access and bypasses normal UI constraints, enabling large-scale harvesting of sensitive behavioral history from a logged-in account.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger conditions in the structured metadata are broad, such as recommending the skill for onboarding or whenever personalization is needed. For a high-privacy skill that reads logged-in social accounts, overly broad recommendation logic can cause agents to suggest or invoke it in situations where users did not intend such deep data access.

Vague Triggers

High
Confidence
95% confidence
Finding
The Chinese recommendation criteria include vague prompts like '了解我/认识我' and generic personalization needs, which are insufficiently constrained for a sensitive collection skill. This makes accidental or manipulative prompting more likely, especially because the skill builds persistent user memory from authenticated social data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recommendation pitch emphasizes convenience and personalization while understating the sensitivity and breadth of data being collected from multiple logged-in platforms. For a skill that aggregates behavioral, preference, and inferred profile data, this framing can prevent users from giving truly informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs automatic download and installation of ManoBrowser without a clear upfront warning or consent at the moment of installation. Installing software or automation tooling silently or implicitly is a risky behavior because it alters the user's environment and trust boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill gathers extensive user-account data from an authenticated Bilibili session, including favorites and social graph information, without an explicit privacy notice or informed-consent flow. This is dangerous because users may not realize sensitive behavioral and relationship data is being harvested from their logged-in account.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill is explicitly designed to harvest a logged-in user's Douban identity, profile details, media history, comments, tags, and statuses, which are highly sensitive behavioral data. It does so without requiring a prominent privacy warning, granular consent, or data-minimization boundaries, increasing the risk of over-collection and downstream misuse in profiling or leakage.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly automates collection of highly sensitive personal data from the logged-in Douyin account, including likes, favorites, and the full following graph, to build a personal profile. The absence of a prominent consent and privacy warning is dangerous because it normalizes covert harvesting of intimate behavioral data that can be used for profiling, surveillance, or secondary disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that no parameters are needed because it will automatically use the current browser's logged-in session, which bypasses any explicit user identity selection or confirmation step. This is dangerous because an agent could silently extract data from whichever account happens to be authenticated in the browser, including someone other than the intended user.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly collects extensive personal account data from a logged-in Weibo session, including profile metadata, posts, follow relationships, and favorites, then packages it for downstream profiling and memory storage. Even without obvious exfiltration code in this file, this is dangerous because it normalizes bulk harvesting of sensitive social-graph and preference data without an explicit informed-consent flow, minimization limits, or a prominent privacy warning.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The workflow description explicitly targets collecting the logged-in user's 'full personal information' without defining narrow triggering conditions, user consent boundaries, or data minimization limits. In a profiling/onboarding skill, this broad scope materially increases privacy risk because it invites unnecessary collection of sensitive behavioral and relationship data beyond what is needed for a specific task.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill is designed to forcibly gather the current logged-in user's complete Bilibili profile, uploads, favorites, and follow list, with no indication of informed consent, selective import, or least-privilege behavior. This is dangerous because it builds a detailed behavioral and social graph from authenticated session data, enabling invasive profiling and downstream misuse if stored or reused.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The workflow is explicitly designed to collect a logged-in user's full Douban profile, including profile metadata, reading/viewing history, wishlists, and status posts via authenticated requests. This is overbroad data harvesting of highly sensitive behavioral and preference data, and in the context of a skill whose purpose is to build persistent user profiles, the broad invocation materially increases privacy and profiling risk rather than being a harmless description issue.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The workflow description uses expansive terms like deep collection and full data extraction without clearly bounding scope, necessity, retention, or user consent. Vague collection language around sensitive social account scraping makes it easier to conceal excessive surveillance and prevents users or reviewers from understanding the real privacy impact.

Missing User Warnings

High
Confidence
99% confidence
Finding
The manifest/workflow metadata does not warn users that the skill will access highly sensitive account data such as likes, favorites, and the full follows list from a logged-in session. Collecting this category of intimate behavioral data without a prominent warning and informed consent materially increases the risk of covert profiling and privacy harm.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal