ClawHub

letterboxd-companion

Security checks across malware telemetry and agentic risk

Overview

This is a narrow, read-only Letterboxd helper; its main cautions are public profile lookup, an unpinned Python dependency, and imperfect input/date handling rather than malicious behavior.

Reasonable to install for read-only Letterboxd lookups. Before using it, be aware it can display public activity for any supplied Letterboxd username, verify the username/account context, install the unpinned Python dependency carefully, and treat diary dates cautiously because the script hardcodes the year in recent diary output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function fabricates diary entry dates by hardcoding the year as 2026 instead of using the actual year from the source data. This can mislead downstream users or agents into believing viewing activity occurred in the future, corrupting timelines, summaries, recommendations, or any logic that relies on accurate watch history.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The usage guidance is broad enough that the agent may invoke this skill for generic movie-related requests without first confirming that the user wants Letterboxd-specific data. That can cause unnecessary disclosure of a user's profile activity or misuse of a supplied username to fetch third-party account information outside clear user intent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill description does not warn that it can retrieve and present a Letterboxd user's activity based only on a username, which may lead users or agents to expose profile statistics, diary entries, or watchlists without informed consent. In this context, the data is tied to identifiable user activity, so missing disclosure increases privacy risk and makes accidental over-collection more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal