Back to skill

Security audit

Content Claw

Security checks across malware telemetry and agentic risk

Overview

Content Claw is a coherent content-generation skill, but it needs Review because it uses browser stealth, stored Reddit/X cookies, and broad engagement tracking with some scope and disclosure gaps.

Install only if you are comfortable with Playwright scraping, fal.ai/Exa API use, and optional Reddit/X cookie-based automation. Use a sandbox, scoped API keys, and preferably separate social accounts; avoid sensitive PDFs or internal URLs until temp-file cleanup and brand-scoping issues are fixed, and run dry-run/preview before any publishing workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The extractor explicitly advertises Playwright-based extraction to bypass bot detection and later masks automation by altering navigator.webdriver. In a content-generation skill, anti-bot evasion is not necessary for core functionality and creates misuse potential against sites that intentionally restrict automated access, increasing legal, policy, and abuse risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Launching Chromium with --no-sandbox disables an important browser isolation control while processing untrusted remote content. Because this skill fetches attacker-controlled web pages, disabling the sandbox materially increases the blast radius of a browser compromise on the host running the agent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements authenticated posting to Reddit and X, which materially expands the skill from content generation into account action/external publication. In an agent-skill context, that creates a dangerous capability boundary violation: generated content can be pushed to third-party platforms using existing session cookies, enabling unauthorized or unintended posting if the skill is invoked with local credentials present.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Reddit flow uses stored authentication cookies plus browser anti-detection measures like masking webdriver and disabling AutomationControlled. Combining authenticated session reuse with stealth automation is dangerous because it can let the skill act as the user on Reddit while attempting to evade platform defenses, which is inconsistent with a simple content-generation purpose and increases the risk of covert account misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The X/Twitter flow repeats the same risky pattern: local cookie-based authentication combined with webdriver-masking automation to compose posts on behalf of the user. In this skill context, that means a content tool can silently cross into authenticated account operation and potentially publish unwanted content, spam, or reputationally damaging messages.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script launches Playwright with anti-detection settings such as disabling Blink automation flags, hiding navigator.webdriver, and using --no-sandbox while loading authenticated cookies to scrape social platforms. For a content-generation skill, this expands capability into covert authenticated browsing and platform-evasion behavior, which is risky because it can bypass normal transparency and make misuse harder to detect.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code path for --brand ignores the supplied brand and calls find_all_brand_runs("") which returns every run directory with publish_records.json under content. This causes cross-project data collection and writes aggregated engagement data into the provided brand's feedback file, creating unauthorized mixing of data across brands or workspaces.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad, such as 'make a post from this' or 'generate content from', which overlap with common benign user requests. Over-broad activation can cause the skill to engage in network access, scraping workflows, or file operations in contexts where the user did not intend to use this specific toolchain, increasing the chance of surprising or unsafe behavior.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The TODO explicitly plans to persist detailed per-run context including brand snapshots, inputs, generated blocks, models, and errors, but does not mention retention limits, minimization, access controls, or user notice/consent. In a content-generation skill, these artifacts may contain proprietary source material, sensitive business context, or personal data, creating privacy and data-handling risk if stored by default.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The roadmap includes publishing directly to external platforms and handling API credentials, but there is no mention of explicit user confirmation, least-privilege scopes, secret handling, or safeguards against unintended posting. In this skill context, automatic publishing can cause account compromise, unauthorized posts, reputational damage, or credential exposure if implemented loosely.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Collecting impressions, engagement, and click data from platform APIs and feeding it back into a brand graph introduces behavioral/profile data processing without any mention of disclosure, consent, minimization, or retention. While not inherently malicious, this creates privacy and governance risk because account analytics can reveal sensitive business strategy and user behavior patterns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script loads browser cookies from a local file and uses them to perform authenticated scraping against X without any consent prompt, disclosure, or guardrails around whose account is being used. This can silently transmit brand-derived queries and tie activity to a real user session, creating privacy, compliance, and account-abuse risk in the context of an autonomous content-discovery skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs authenticated browser automation and persists publish records without an explicit execution-time warning or confirmation dialog. In an agent setting, missing user-facing consent and transparency materially increases the chance of silent account actions or local data persistence that the operator did not intend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reddit cookies are read from disk and injected directly into the browser context with no confirmation, notice, or scope limitation. Using stored session cookies for automated browsing can silently access account-scoped content and actions, increasing privacy and account-misuse risk if the cookie file is stale, overprivileged, or unexpectedly present.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The X/Twitter path mirrors the same issue by loading cookies from a local file into an automated browser session without user-facing disclosure. Combined with stealth settings, this enables opaque authenticated scraping of an account session, which is more dangerous in this skill because engagement tracking is ancillary to the advertised content-generation purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.