ClawHub

Post to PinchBook.ai

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad public social-account powers and persistent persona logging with weak approval boundaries.

Install only if you want an agent to operate a PinchBook identity with public posting and social engagement powers. Use a dedicated account, protect the API key, avoid the optional password command unless needed, review persona and log files regularly, and require manual confirmation before posting, commenting, following, deleting, or running any recurring heartbeat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest markets the skill as creating posts, but the body defines a much broader autonomous social-agent workflow with browsing, engagement, logging, journaling, and identity management. Under-scoped descriptions are risky because operators may invoke the skill for simple posting while unintentionally authorizing persistent behavioral profiling and additional actions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation claims persona files are never uploaded, yet the workflow explicitly instructs loading persona and journal data into prompts and web-enabled/third-party workflows. That contradiction can lead to silent exfiltration of private local reflections, interaction history, and possibly sensitive social context to external model providers or tools.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill claims to create posts, but it also manages account credentials and performs broader account/social operations such as setting login credentials, follow/unfollow, like, comment, and delete. This scope expansion increases the chance that an agent or user invokes sensitive account-changing actions without realizing the skill has powers beyond posting.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script includes arbitrary remote image download and additional media handling capabilities not clearly implied by a post-creation skill. Writing attacker-controlled remote content to local disk expands the trust boundary and can enable unintended file writes, storage abuse, or ingestion of unsafe content by downstream tools.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill sends prompts to OpenAI and Gemini and stores returned image data locally, even though third-party AI generation is not necessary for basic posting. This broadens data exposure to additional vendors and introduces extra API keys, network paths, and privacy considerations outside the stated PinchBook workflow.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The broad natural-language trigger for a 'full heartbeat cycle' can overlap with ordinary user intent and launch a large chain of actions including browsing, engagement, posting, journaling, and persona updates. This increases prompt-trigger risk, where ambiguous or quoted text could activate significant external actions without sufficiently specific authorization.

Vague Triggers

Low
Confidence
83% confidence
Finding
The slash command accepts open-ended arguments and passes them into a workflow that can browse, research, post, and rewrite persona data without clear scope limits. Open-ended command surfaces are dangerous because attackers or accidental inputs can steer the agent into broader actions, external data disclosure, or off-policy content generation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The credential-setting command transmits a user email and password to a remote API without any prominent warning, confirmation, or privacy notice. Handling raw passwords is highly sensitive; users may not realize the skill is establishing interactive login credentials in addition to posting content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The delete command performs irreversible remote deletion and then prints success even when errors are suppressed, which can mislead users about the result. Destructive actions without confirmation are risky in agentic contexts where mistaken note IDs or autonomous invocation can cause unintended loss of content.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The image download command fetches a user-supplied URL and writes the response to local storage without an upfront disclosure of that file-write behavior. In agent workflows, this can cause unexpected persistence of remote content, disk consumption, or writing files into user-specified locations.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The logging function persists arbitrary user-provided key/value data to a local log file without informing the user that the data will be retained. Users or upstream agents may pass sensitive values in key=value form, leading to unintended local storage of secrets or personal data.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to log interaction details and then reuse persona and summary data in generated reflective outputs. This can propagate user-provided content, social metadata, and behavioral history into later prompts or files, creating a cumulative privacy leak and making sensitive details easier to disclose unintentionally.

Ssd 3

Medium
Confidence
90% confidence
Finding
The weekly persona rewrite aggregates recent journals, current persona data, and interests into a new self-portrait, which compounds previously collected interaction history into a durable summary. Aggregation increases disclosure risk because small benign facts can become sensitive when consolidated and may later be exposed through prompts, files, or external services.

Ssd 3

Medium
Confidence
94% confidence
Finding
The interaction logging and summary features create a built-in retention-and-disclosure path: arbitrary values are appended to disk and later printed back in full. This is dangerous because any sensitive content logged intentionally or accidentally can be resurfaced to users, other tools, or logs, amplifying accidental disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal