ClawHub

Flickr Claw

Security checks across malware telemetry and agentic risk

Overview

This is a Flickr helper that transparently uses local user-supplied credentials to export/download photos and optionally edit Flickr metadata.

Install only if you want an agent-assisted Flickr workflow. Use read-only tokens for browsing/exporting, create write tokens only when you intend to edit metadata, protect ~/.openclaw token files as secrets, review photo IDs and metadata before running write commands, and delete exported CSVs or downloaded images when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation describes file read/write behavior such as reading local credential files and writing exports/downloads, but it does not declare permissions. Undeclared capabilities reduce transparency and can cause users or hosting systems to grant more trust than warranted, especially for a skill that handles tokens, downloaded images, and local metadata files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly tells users to store API credentials and OAuth tokens under predictable paths in the home directory, but it does not warn that these files are sensitive secrets that should be protected with strict filesystem permissions and excluded from logs, backups, and version control. If another local user, process, malware sample, or backup system accesses these files, the Flickr account and API app can be abused without further authentication.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documented export and download commands create local CSV files and image copies containing user Flickr data, but the workflow does not clearly warn that these artifacts persist on disk and may remain after review. This can cause unintended retention or secondary disclosure through shared folders, backups, temp storage, or later reuse by other tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal