ClawHub

Multi-Channel Engagement Agent

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can automatically post publicly from connected accounts while handling sensitive keys with weak safeguards.

Review carefully before installing. Use only dedicated low-value accounts and a low-balance Farcaster wallet, keep config.json out of git with restrictive permissions, avoid cron until manual tests are complete, and add a dry-run or explicit confirmation step before allowing live posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The Farcaster write example instructs callers to place custody and signer private keys into environment variables and then invoke a subprocess to post content. In a social-engagement skill, this expands capabilities from ordinary API usage into wallet-backed actions with sensitive key material, increasing the risk of key exposure, unintended signing, and abuse of external posting authority.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The Moltbook flow includes automated captcha solving, which is a mechanism intended to bypass an anti-automation control. In the context of an autonomous engagement bot, this materially increases the skill's ability to evade platform safeguards and mass-post content, making misuse more dangerous.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The Moltbook path includes logic to automatically solve a verification challenge and submit the answer, which is effectively CAPTCHA/anti-abuse bypass automation. In the context of an autonomous engagement bot, this increases the tool's ability to evade platform friction controls and scale posting activity beyond normal manual use, making abuse and policy violations easier.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The Farcaster reply flow constructs a shell command containing credentials and untrusted reply text, then executes it via PowerShell. Even though double quotes are escaped, shell invocation remains dangerous because command construction with secrets and content passed through a shell can enable command injection, credential exposure, and unintended command execution if escaping assumptions fail.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises broad trigger phrases such as 'engage on twitter', 'reply to trending', and 'social engagement bot', which can cause the agent to activate for common social-media assistance requests rather than explicit consent to autonomous posting. In this context, the capability performs external actions on connected accounts, so ambiguous invocation increases the risk of unintended autonomous engagement and reputation-impacting posts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill repeatedly describes autonomous replies, quote posts, mention handling, and cron-based scheduled execution, but does not present a clear warning that it will post to external social accounts using stored credentials. Because the action is public, persistent, and reputation-affecting, the lack of explicit warning and approval makes accidental or overbroad use materially risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows direct use of custody and signer private keys without any warning about secret handling, leakage risk, or operational safeguards. In practice, developers may copy this pattern into logs, shell histories, CI environments, or shared runtime contexts, exposing credentials that can be used for unauthorized posting or wallet operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation states that write operations cost real USDC but does not prominently warn that using this flow spends funds. In an autonomous posting skill, omitted spending warnings can lead to unexpected charges or repeated micro-payments during automated operation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script autonomously posts generated replies to external platforms without any approval gate, dry-run mode by default, or explicit operator confirmation. In a social engagement bot, this materially raises the risk of unintended spam, reputational harm, policy violations, and misuse if the agent is misconfigured or prompted to act at scale.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Sensitive credentials are loaded and then used directly in network posting and subprocess execution, without clear user-facing notice or safeguards around how those secrets are propagated. Because the Farcaster path embeds secrets into a shell environment setup, the context makes this more dangerous: credentials may leak through process inspection, crash output, shell history, or debugging workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
**Moltbook:**
```javascript
await fetch('https://www.moltbook.com/api/v1/comments', {
  method: 'POST',
  headers: { 'Authorization': `Bearer ${config.moltbook.apiKey}` },
  body: JSON.stringify({ postId, content: replyText })
Confidence
89% confidence
Finding
fetch('https://www.moltbook.com/api/v1/comments', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
- Rate limits: Tweets 50/15min, Searches 450/15min

**Option B: AISA API (alternative, good for trending)**
- AISA API endpoint: `https://api.aisa.one/apis/v1/twitter/tweet/advanced_search`
- Get API key at https://aisa.one
- Searches via AISA are fast and reliable for trending
- Config: add `aisaTwitterApiKey` to twitter platform
Confidence
76% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
**Farcaster (Neynar API):**
```javascript
const response = await fetch('https://api.neynar.com/v2/farcaster/feed/trending?limit=5', {
  headers: { 'x-api-key': config.farcaster.neynarApiKey }
});
```
Confidence
84% confidence
Finding
https://api.neynar.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const answer = solveMathChallenge(data.verification.challenge);
    
    // Step 3: Verify
    await fetch('https://www.moltbook.com/api/v1/verify', {
      method: 'POST',
      headers,
      body: JSON.stringify({
Confidence
82% confidence
Finding
fetch('https://www.moltbook.com/api/v1/verify', { method: 'POST'

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
**Option A: x-api (OAuth 1.0a, official)**
- Get credentials at https://developer.x.com/en/portal/dashboard
- Create Project → App
- Set permissions: **Read and Write**
- Rate limits: Tweets 50/15min, Searches 450/15min

**Option B: AISA API (alternative, good for trending)**
Confidence
80% confidence
Finding
permissions: *

Excessive Permissions

Low
Category
Privilege Escalation
Content
**Option A: x-api (OAuth 1.0a, official)**
- Get credentials at https://developer.x.com/en/portal/dashboard
- Create Project → App
- Set permissions: **Read and Write**
- Rate limits: Tweets 50/15min, Searches 450/15min

**Option B: AISA API (alternative, good for trending)**
Confidence
78% confidence
Finding
permissions: *

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal