ClawHub

自媒体矩阵管家虾

Security checks across malware telemetry and agentic risk

Overview

This skill is a local social-media metrics reporting helper with optional report sharing, and the artifacts do not show hidden or malicious behavior.

Reasonable to install for social-media matrix reporting. Use CSV input, avoid including credentials or unnecessary personal data, review generated reports, and explicitly confirm Feishu document or group-chat destinations before sharing results outside the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to save uploaded data files into the workspace and run a local analysis script, which constitutes file-write capability without an explicit permission declaration or user-facing authorization boundary. This creates a mismatch between the skill's documented capabilities and its actual behavior, increasing the risk of unexpected data persistence, accidental retention of sensitive business metrics, or unsafe downstream automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the agent to save user-provided CSV/Excel files into the workspace but does not warn users that their uploaded data will be stored there. Because the data includes account identifiers, performance metrics, and possibly owner information, silent storage can expose sensitive operational data to unintended retention, reuse, or access within the agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill allows creating Feishu documents or sending group messages with analysis results but provides no warning or confirmation step before exporting potentially sensitive account-health, engagement, or risk data to external systems. This can lead to unintended disclosure to broader audiences, especially when reports include abnormal account status, owner attribution, or reputation-related sentiment findings.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal