ClawHub

AI Trend Hunter Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed social-content automation tool, but it combines arbitrary scraping, third-party AI processing, local persistence, and X browser automation with under-specified controls.

Install only if you are comfortable reviewing and constraining it first: restrict source URLs, use a dedicated least-privilege social account and API key, confirm every draft before any X action, avoid scraping private or internal pages, and check where output files and provider requests are stored or sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The workflow description says it scrapes TechCrunch headlines, but the actual configuration accepts an arbitrary user-supplied source URL. This mismatch expands the trust boundary and can lead users to authorize scraping from unintended sites, including sites with sensitive, deceptive, or prompt-injection content. In this skill context, that matters because scraped content is later sent to an LLM and used in browser-assisted publishing flows.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The workflow goes beyond content generation and invokes browser automation against x.com to populate drafts. That is a meaningful privilege expansion because browser automation can interact with an authenticated session and perform actions on behalf of the user, increasing the blast radius if earlier steps are manipulated or misleading. In this context, coupling scraping, LLM generation, and browser automation makes unintended posting-related actions more dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to set a schedule to automate posting, but it does not warn that the skill may publish externally on connected social accounts without per-post review. In a social-media automation context, that omission is risky because users may unknowingly enable unattended posting that can damage accounts, violate platform rules, or publish incorrect or unsafe content at scale.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The workflow writes scraped titles and generated drafts to local files without clear disclosure about file creation and persistence. This can expose sensitive or proprietary content to other local users, backups, sync tools, or later unintended reuse, especially if the arbitrary source URL points to private or sensitive pages.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Scraped page content is transmitted to the DeepSeek API, but the workflow does not clearly warn users that third-party processing occurs. If users provide or scrape confidential material, this creates a privacy and data-governance risk because external transmission may violate expectations, policy, or contractual restrictions.

Ssd 1

High
Confidence
98% confidence
Finding
User-controlled or attacker-controlled scraped content is interpolated directly into the LLM system prompt as {{SCRAPED_CONTENT}}. This creates a classic semantic prompt-injection path where page text can instruct the model to ignore prior guidance, alter outputs, embed malicious links, or produce content crafted to manipulate the later human review and X drafting steps. The risk is heightened here because the source URL can be arbitrary and the generated output is later pushed toward a real platform workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal