ClawHub

运营工具skill

Security checks across malware telemetry and agentic risk

Overview

This social-media operations skill is mostly coherent, but it needs Review because it can operate real logged-in accounts, publish content, scrape or store business data, and generate misleading mock analytics without enough guardrails.

Install only after reviewing the account and data risks. Use a dedicated browser profile or test accounts for opencli, manually approve every publish, follow, comment, download, or upload action, avoid importing confidential client files into ima unless approved, store API keys securely, and treat the bundled fetch-script outputs as synthetic sample data unless the publisher fixes their provenance labeling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of shell commands, local file reads under ~/.cursor/skills/, and file writes for generated reports and knowledge-base artifacts, but it does not declare permissions for those capabilities. This creates a trust and containment gap: a caller may invoke a seemingly harmless planning skill that can actually access the filesystem and execute commands, increasing the risk of unintended local access or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The manifest frames the skill as a new-media operations assistant for a limited set of platforms, but the instructions expand into additional collection and analysis domains such as e-commerce review scraping, demand mining, and Weibo/other-site monitoring. This mismatch weakens user consent and reviewability because the actual operational scope is broader than what the description advertises.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill goes beyond analysis and planning to include direct publication commands to external social platforms. Without an explicit approval gate, draft preview, and account-target confirmation, the agent could post content on behalf of the user using existing browser login state, causing reputational, legal, or business harm.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guidance to perform self-generated interaction shortly after posting, including replying to hypothetical questions, promotes artificial engagement intended to influence recommendation or ranking signals rather than reflect genuine user behavior. In the context of a social-media operations skill focused on account growth, this is more dangerous because it operationalizes platform manipulation at scale and may lead users to violate platform integrity rules, risking account penalties or deceptive amplification.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The file defines inactivity triggers and behavior-based re-engagement using prior user interactions, saved content preferences, and prior questions to generate personalized wake-up messages. That moves beyond generic engagement copy into profiling and retention automation, creating privacy and data-governance risk if implemented without consent, disclosure, retention limits, or lawful basis for processing.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The document exposes commands that can directly publish content to a user's Douyin or Xiaohongshu account, moving beyond passive analysis into live account modification. Because the same guide also emphasizes reusing existing browser login state, an agent following this documentation could perform real-world actions on behalf of the user without sufficient consent, review gates, or safety warnings.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The guide encourages downloading third-party platform content through commands operating under an already-authenticated browser session. Even if framed as analysis, this broadens the skill from strategy support into content acquisition that may violate platform rules, user expectations, or copyright/privacy boundaries when automated by an agent.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The guide explicitly prescribes coordinated use of multiple accounts, including a secondary account tasked with commenting on the main accounts to funnel users into private-domain conversion. In skill context, this moves beyond analysis/content drafting into orchestrated engagement manipulation and can facilitate deceptive amplification, spam-like behavior, or platform policy evasion at scale.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents itself as fetching real WeChat video comments, but it actually fabricates repeated hardcoded sample data. In a new-media operations skill, this can mislead downstream analysis, competitive intelligence, sentiment reporting, or automated decision-making, causing users to act on false evidence while believing it is live platform data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script advertises that it 'fetches Weibo comment data' but actually fabricates hardcoded sample comments and writes them out as if they were collected data. In a media-operations skill, this is dangerous because downstream analysis, reporting, competitor monitoring, or strategy decisions may be based on false evidence, creating integrity and trust risks even without direct code execution or data exfiltration.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad and overlap with ordinary requests such as asking for content help or industry analysis. Overbroad activation increases the chance that a high-capability skill with shell, file, scraping, and publication behaviors is invoked when the user did not intend those operations, leading to accidental data access or external actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill includes direct publishing behavior but does not require a clear risk notice or informed confirmation. In a context where opencli may reuse browser login sessions, a missing confirmation step materially increases the risk of unauthorized or mistaken posting to real brand accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill repeatedly offers to save reports, account analyses, and operational materials into an external knowledge base, but it does not provide a privacy notice, retention explanation, or data-scope warning. That creates a risk of storing sensitive business documents, competitive intelligence, or account data without fully informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs generating personalized messages from historical behavior such as prior interactions, prior questions, and collected preferences, but provides no user-facing notice or privacy controls. This creates a concrete risk of covert profiling and undisclosed use of engagement data, which can violate platform rules or privacy obligations and erode user trust.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to obtain and configure an API Key but provides no guidance on secure storage, least-privilege handling, rotation, or avoiding accidental disclosure in files, screenshots, or shared skill directories. In an agent-skill context where users may copy configuration steps directly, this omission increases the likelihood of credential leakage and unauthorized access to the linked ima service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file-import instructions tell users to upload a local file into the knowledge base without warning that the file may contain confidential, personal, proprietary, or regulated data. Because this skill is designed for operational workflows and may process client PPTs and other business materials, users could inadvertently exfiltrate sensitive local content into a third-party knowledge system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs large-scale scraping of Douyin and Xiaohongshu (`--limit 500`) without any safeguards around authorization, platform terms, rate limiting, personal data minimization, or handling of user-generated content. In the context of a new-media operations skill that analyzes competitors and user comments, this can lead agents to collect or process personal/profile data in ways that violate platform rules or privacy expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide prominently advertises reuse of existing browser login sessions and direct browser control but gives no warning about the privacy, security, or account-integrity consequences. In this skill context, that omission is especially dangerous because the agent is intended to operate across social and content platforms where authenticated sessions may expose messages, drafts, account data, or allow unintended actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The publishing commands are listed as routine operational steps without any disclosure that they can create real posts on live user accounts. Given the new-media operations context, an agent could interpret these as normal actions and publish content immediately, causing brand, compliance, or reputational harm if the content is incorrect or unauthorized.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal