ClawHub

Publish-Mate

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it advertises, but it can publish live website content and has an unsafe TLS bypass that could expose WordPress credentials.

Review before installing for production use. Use `preview` first, change the default post status to `draft`, use a dedicated low-privilege WordPress application password, avoid untrusted custom endpoints or direct image URLs, and fix or remove the TLS verification bypass before sending credentials to a live site.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill performs sensitive actions including network access, local file reads/writes, and use of environment-provided credentials, yet it declares no permissions or equivalent capability warnings in the manifest. This weakens user consent and platform enforcement, making it easier for the skill to publish content, persist state, and use secrets without the user being clearly alerted to those capabilities.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code explicitly disables TLS hostname and certificate verification during WordPress image uploads by setting check_hostname to False and verify_mode to ssl.CERT_NONE. This permits man-in-the-middle interception of authenticated upload traffic, exposing Basic Auth credentials and allowing tampering with uploaded content or responses.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script accepts an arbitrary --url value and passes it directly to urlopen(), allowing outbound requests to any host rather than only the declared image providers. In an agent context, this creates an SSRF-capable primitive that can be used to reach internal services, cloud metadata endpoints, or attacker-controlled hosts and then persist the response to disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises automatic publishing to WordPress and custom CMS platforms, but it does not clearly warn that the default publish flow creates live remote content and modifies an external site. In an agent skill context, unclear disclosure of side effects can lead users to trigger unintended publication, causing reputational damage, spam, or unauthorized changes on production sites.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup instructions suggest storing a WordPress application password in OpenClaw settings without warning that local config files may be readable by other local users, backed up, synced, or accidentally committed. Although the README mentions environment variables, showing secrets inline in JSON normalizes a weaker storage pattern for credentials that grant publishing access to a live site.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The default `/auto-publisher` command triggers a live fetch-compose-publish workflow and writes local config/history/log files, but the description does not clearly warn that this happens by default. A user could invoke the skill expecting a preview or setup flow and unintentionally cause public content publication or persistent local changes.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is the same underlying security issue: TLS certificate validation is disabled without user warning when uploading media. In an auto-publishing workflow that sends authenticated requests to a CMS, silent TLS bypass significantly increases the risk of credential theft and malicious content injection.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The custom API fetcher allows header values prefixed with '$' to be resolved from environment variables and then sent to an arbitrary configured URL. If an attacker can influence the config or source definition, this becomes a credential exfiltration path because secrets such as API tokens may be transmitted to untrusted endpoints without validation or explicit approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The custom publisher posts the entire article object to whatever endpoint is configured, with no validation, allowlisting, or explicit disclosure to the operator about where the content is being sent. In a skill that automates publishing to external systems, this creates a real exfiltration and misdelivery risk if configuration is malicious, mistaken, or user-controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal