ClawHub

Undersheet

Security checks across malware telemetry and agentic risk

Overview

UnderSheet mostly matches its thread-tracking purpose, but it also stores account credentials and can post publicly through multiple services without clear write-mode controls.

Install only if you intend to give this skill access to social-platform accounts, not just local memory. Prefer read-only credentials where available, omit write tokens unless you explicitly need posting, restrict credential file permissions, and avoid automated posting or Moltbook challenge solving unless you have deliberately approved that account behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation instructs users to install and run Python code that reads environment variables, stores credentials on disk, writes persistent state, and performs network access, but the manifest does not declare corresponding permissions. This creates a transparency and policy-bypass problem: operators may approve a seemingly low-risk memory utility without realizing it can access secrets, persist data, and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill is presented as a passive thread-memory utility, but the documentation and adapter contract indicate broader authenticated and potentially write-capable interactions across multiple external platforms. That mismatch is dangerous because users or orchestration systems may invoke the skill under a low-risk assumption while it can act on third-party accounts, send content, and route traffic through proxies.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest and top-level description emphasize thread memory, but the setup instructions include write-scoped credentials for several services and the platform adapter interface includes posting functionality. This discrepancy can mislead users into supplying powerful tokens to a skill they believe is only doing local memory/state management.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill claims to provide persistent thread-memory, but this adapter also performs authenticated comment posting and automatic challenge handling. That materially expands capability from passive tracking into active account actions, increasing the risk of unauthorized posting, abuse of a user's account, and hidden side effects inconsistent with the stated purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The embedded CAPTCHA/challenge solver is unrelated to the advertised thread-memory purpose and is designed to bypass anti-automation controls on the remote platform. In skill context, this is especially suspicious because it enables covert automated posting at scale while defeating protections intended to require human verification.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill’s stated purpose is persistent thread-memory and read-tracking, but this adapter can actively post comments to Reddit. That expands the trust boundary from passive data retrieval to external side effects, creating a real risk of unauthorized actions, spam, account misuse, or reputational damage if an agent invokes it unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The adapter loads local Reddit credentials and performs password-based OAuth authentication even though the skill is presented as a memory/read-tracking utility. This gives the skill access to a user account and enables privileged actions beyond the minimally necessary scope, increasing the blast radius if the skill is misused or compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is passive thread memory and feed tracking, but this adapter also exposes active write capability via post_comment. That mismatch increases the chance that agents or operators grant broader permissions than expected and unintentionally perform external actions on Twitter accounts.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module-level documentation emphasizes tracking threads and feeds, but the file also contains tweet-posting logic using OAuth write credentials. This is a security-relevant capability mismatch because users may install a seemingly read-focused memory skill without realizing it can act on their behalf.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to place platform credentials in a plaintext JSON file under ~/.config/undersheet without any warning about file permissions, encryption, or use of safer secret storage. That creates a realistic risk of credential disclosure through local compromise, backups, dotfile sync, shared systems, or accidental exfiltration by other tools/agents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation tells users to store multiple platform credentials and proxy settings in predictable filesystem locations without any guidance on file permissions, token scope minimization, rotation, or secret hygiene. In an agent environment, that increases the chance of credential leakage, reuse of overprivileged tokens, or accidental exposure through logs, backups, or other skills.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code silently loads stored Hacker News credentials and uses them to authenticate without any user-facing disclosure or consent at the moment of use. In an agent skill whose purpose is persistent cross-session thread interaction, this creates a real risk of unintended account actions if the skill is invoked implicitly or by a higher-level agent workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function performs an authenticated network action that posts a live Hacker News comment as the user, but there is no visible confirmation, approval step, or interactive warning. In the context of an autonomous agent skill designed to persist engagement across platforms, this makes unintended posting materially more dangerous because an agent could publish content under the user's identity without a deliberate final check.

Missing User Warnings

Low
Confidence
93% confidence
Finding
This method posts comments to the remote service without any explicit disclosure or confirmation, creating hidden account actions. In the context of a memory/tracking skill, silent posting is more dangerous because operators would not reasonably expect it to perform public write actions on their behalf.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The OAuth access token is persisted to disk without any permission hardening, warning, or user disclosure. On multi-user systems or poorly secured environments, cached tokens may be recoverable by other local processes or users, enabling unauthorized API access until expiry.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill can perform an external write action by posting a Reddit comment without any built-in confirmation, dry-run mode, or user-facing warning. In an agent setting, that is dangerous because unintended prompts, tool misuse, or compromised orchestration could trigger visible public actions from the user’s account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The verification script automatically runs platform-specific adapter checks that call get_credentials() and get_feed(), which can consume configured secrets and make outbound network requests without an explicit user-facing warning or confirmation. In a verification utility for an agent skill that spans multiple platforms, this creates an unexpected side effect surface: running a local health check may contact third-party services, leak metadata to those services, or trigger actions under the user's configured account context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal