ClawHub

Hotel Social Automator

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent, but it should be reviewed carefully because it can publish or schedule live social media posts using sensitive tokens without strong final-approval safeguards.

Install only if you trust the HotelPost MCP service and need an agent to manage live social accounts. Use least-privilege or dedicated tokens, store uk_* and hp_sk_* as secrets, and require the agent to show the final draft, destination accounts, platform list, and scheduled time before any publish_post or schedule_post call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation criteria are broad enough to trigger on generic terms like 'hotel', 'post', 'publish', 'Instagram', or 'marketing scenario', which may cause the skill to activate outside the user's actual intent. In a skill capable of generating, scheduling, and publishing external content, over-broad triggering increases the chance of unintended tool use and disclosure of workspace-scoped data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill supports publishing and scheduling posts to connected social accounts but does not require an explicit user warning or confirmation that content will be transmitted to third-party platforms. Because these are external, potentially irreversible actions affecting public accounts, lack of a clear consent checkpoint materially raises the risk of accidental posting or unintended data sharing.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Defaulting content generation to Chinese without explicit user opt-in can cause unintended content creation in the wrong language, especially for publishing workflows. In this context the main risk is operational and reputational rather than a direct technical compromise, but it can still lead to accidental publication of unsuitable content to public channels.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples demonstrate scheduling and publishing posts to external social-media accounts immediately after minimal confirmation, without an explicit warning that the action will cause real-world external effects or that content may go live on connected accounts. In an agent skill that is specifically designed to manage authenticated social-media publishing, normalizing this behavior increases the risk of accidental unauthorized posting, especially if users misunderstand draft selection, account scope, or timing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The onboarding instructions tell users to paste long-lived sensitive tokens directly into agent MCP configuration but do not warn about secure storage, config file exposure, log leakage, or token rotation. In this skill's context, both a workspace token and user token together authorize MCP actions, so insecure handling could let anyone with access to the config impersonate the user and operate on the workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal