ClawHub

Hotel Asset Marketer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HotelPost social media workflow that uses sensitive tokens and can publish externally, but the reviewed behavior fits that purpose.

Install only if you want an agent to manage a HotelPost workspace and publish or schedule content on connected social accounts. Keep the hp_sk and uk tokens private, verify the MCP endpoint and helper tools, review drafts and target accounts before publishing, and confirm Feishu recipients before sending notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill explicitly forbids direct exec/curl access to the MCP API, but later instructs the agent to use curl and shell commands for downloading remote images and creating directories. This expands behavior beyond MCP-only operations into arbitrary local command execution and remote file retrieval, increasing the attack surface for SSRF, unsafe file handling, and policy bypass if image URLs or filenames are attacker-controlled.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill advertises MCP-based social media generation/publishing, but its documented behavior also performs local filesystem writes, remote downloads, and optional Feishu messaging outside the MCP boundary. This mismatch weakens transparency and can cause the agent to invoke extra capabilities and external channels that users or reviewers did not expect, creating data exfiltration and unintended side-effect risks.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation criteria are broad enough to trigger on generic social-media or marketing requests, which can cause the skill to take over unrelated conversations and steer the agent toward external publishing workflows. In a skill capable of scheduling or publishing to live accounts, overbroad activation materially increases the chance of unintended external actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes publish and schedule operations against external social media accounts without an explicit user-facing warning that these actions make live changes. In this context, silent or insufficiently confirmed posting can directly affect public-facing accounts, brand reputation, and business operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example flow shows the assistant proceeding directly from a user request to publishing on an external social-media account after only selecting an account, without an explicit final confirmation or warning that the action is irreversible. In an agent skill that can post to real third-party platforms, this pattern can normalize unsafe behavior and increase the chance of accidental or unauthorized publication.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The scheduled publishing example sets up an automatic future post without clearly warning that it will publish later without another approval step. This is dangerous because users may treat scheduling as a draft-like action, when in fact it commits a real outbound action that will execute automatically on connected accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding guide explicitly tells users to copy raw `uk_*` and `hp_sk_*` tokens into agent MCP configuration, but it does not clearly warn that these are sensitive secrets that may be exposed through config files, screenshots, backups, support bundles, or logs. Because both tokens are required together to authenticate MCP requests, disclosure of the configured values could enable unauthorized access to the user's identity context and the selected workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal