Content Claw

Security checks across malware telemetry and agentic risk

Overview

This is a coherent content-generation skill, but it includes Reddit drafting instructions designed to imitate ordinary human participation and uses disclosed anti-bot scraping behavior.

Install only if you are comfortable with a content tool that fetches web sources, uses Playwright stealth scraping, sends image prompts to fal.ai, searches Exa, and stores generated artifacts locally. Be especially careful with the Reddit human agent: use it only for transparent drafts, avoid fake personal anecdotes or undisclosed promotion, and review platform rules before posting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill claims it only reads and writes within BASE_DIR, but its own path-resolution instructions dereference locations under the user's home directory to find that base. Contradictory scope rules weaken trust boundaries and can normalize access to home-directory paths, making it easier for an agent to read or write outside the intended project area if path handling is wrong or symlinks are abused.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file defines behavior for generating Reddit posts/comments that mimic an ordinary human 'on their phone between meetings,' which conflicts with the skill's declared purpose of turning source material into publish-ready branded content. This mismatch is security-relevant because it enables covert persona-based messaging rather than transparent brand or author-attributed content, increasing the risk of deceptive engagement and policy evasion.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The instructions explicitly tell the agent to produce content that 'reads like it was typed by a real person' and to add behavioral quirks specifically to avoid looking AI-generated or marketer-authored. That is a deceptive human-impersonation capability that could be used for astroturfing, undisclosed promotion, social engineering, or reputation manipulation at scale.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The extractor explicitly advertises browser-based extraction that bypasses bot detection, which is not necessary for a normal content-generation workflow and signals intentional evasion of site controls. Even if used for scraping public pages, this increases legal, compliance, and abuse risk by helping the skill access content that websites are trying to restrict to automated agents.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code actively hides automation by overriding navigator.webdriver, which is a classic stealth/evasion tactic. This is dangerous because it is designed to defeat anti-bot safeguards and can enable unauthorized scraping or access patterns beyond the skill's stated purpose of generating content from supplied material.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad enough to match ordinary requests like 'generate content' or 'make a post from this,' which can cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because activation can lead to shell execution, web fetching, external API use, and persistent file writes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The TODO explicitly plans to store detailed run context including topic, brand snapshot, prerequisite outputs, generated blocks, timing, model used, and errors, but does not mention consent, retention limits, redaction, or access controls. In a content-generation skill, these artifacts can easily contain sensitive business strategy, private source material, or user-provided proprietary data, so silent persistence increases confidentiality and privacy risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown directly instructs the model to impersonate a real Reddit user but contains no warning, consent, or disclosure mechanism. In the context of a content-generation skill, this makes the feature more dangerous because it lowers friction for deceptive posting and could mislead communities into believing generated speech is authentic user experience.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs the agent to create directories and write multiple YAML files under a local base directory, and to copy templates into place, without explicitly requiring user confirmation at the point of modification. This can lead to unintended local state changes, overwriting or cluttering user data, especially because the target path incorporates a user-supplied name and the workflow proceeds directly into follow-on actions.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The instructions explicitly direct the agent to save a generated YAML file to `BASE_DIR/recipes/<slug>.yaml` without requiring an explicit final consent step immediately before writing. In an agentic environment, silent file creation/modification can surprise users and may overwrite or persist content on disk in ways they did not intend, especially if `BASE_DIR` is broad or misconfigured.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The instructions direct creation of a new agent file at `BASE_DIR/agents/<name>.md`, and although the content says to show the user for approval before saving, it still lacks a strong, explicit warning about writing to disk and does not specify overwrite protection or path constraints. Because agent files can affect future behavior, writing them without robust confirmation and path validation increases the risk of unintended persistence or unsafe skill modification.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The PDF extractor downloads untrusted remote content and writes it to disk before parsing, but it does so without cleanup, size validation, or safety checks. This can enable resource exhaustion through very large files and leaves attacker-controlled files on the filesystem longer than necessary, increasing operational risk.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script sends prompts derived from user-provided specs to fal.ai, which can include sensitive business content, unpublished materials, or proprietary text. In an agent skill that transforms papers, podcasts, and case studies into content, this external transmission is materially relevant because users may supply confidential source material without realizing it is being sent to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal