ClawHub

Genviral Skill

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its social-media automation purpose, but it needs Review because it can auto-post content and auto-update its own scripts and instructions from GitHub without strong user review controls.

Install only if you are comfortable giving this skill authority to manage Genviral-connected social accounts, store local performance and strategy data, and run shell scripts. Avoid enabling the daily self-update cron unless you manually review diffs or pin trusted versions, and use per-post approval for public posting. Keep the Genviral API key out of logs and shared files, avoid submitting sensitive media or voice/text to Studio, and verify IDs before running delete commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises shell-based operational capabilities through required binaries and script execution but does not declare corresponding permissions or clearly bound execution scope. This weakens platform trust and review controls because users and orchestration systems may not understand that the skill can execute local commands and manipulate files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior goes beyond the stated purpose by including self-updating, subscription/credit inspection, trend research, AI generation, and local file modification. When a skill's actual scope is broader than its declared purpose, users may authorize it for one workflow while unintentionally granting capabilities that can fetch code, alter local content, or access additional business-sensitive data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation instructs installation of persistent cron jobs that autonomously generate, post, analyze, and modify workspace state on a recurring basis. This expands the skill from on-demand API automation into unattended long-lived execution, increasing the risk of unintended actions, spammy posting, cost accumulation, and abuse if prompts, inputs, or connected accounts are compromised.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The self-update workflow authorizes the agent to run a script that pulls and applies upstream changes to SKILL.md, scripts/, and docs/ automatically. This is a classic trust-boundary violation: if the upstream source, update channel, or script is compromised, the agent can ingest new instructions or code and change its own behavior without human review, enabling supply-chain compromise and privilege expansion.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script automatically sources ${HOME}/.config/env/global.env, executing shell code from a user-controlled file unrelated to the immediate command. In an agent context, this expands trust to arbitrary local shell content and can load or execute unexpected commands, creating credential exposure and code-execution risk beyond the stated API wrapper behavior.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The updater harvests a GitHub token from either the GITHUB_TOKEN environment variable or the local gh CLI and sends it in an Authorization header to GitHub for a routine public update check. In a social-content automation skill, accessing unrelated developer credentials broadens the trust boundary and creates unnecessary credential exposure risk if the script, endpoint, or surrounding environment is compromised.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README advertises a self-update mechanism that modifies local skill files and scripts, but it does not prominently warn users about the trust and integrity implications of pulling and executing remote updates. Even though it says workspace data is preserved, users may not appreciate that executable content under scripts/ and behavior-defining files like SKILL.md and docs/ can change locally after an update.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill directs persistent writes to workspace files without an explicit user-facing notice at the time of action. This can create unexpected retention of potentially sensitive business strategy, competitor research, or content plans on disk, which is a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a destructive `delete-pack` operation with no warning about irreversibility, confirmation expectations, or guidance to verify the target pack before deletion. In an automation-focused skill, users or agents may execute commands directly from docs, making accidental bulk content loss more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `delete-pack-image` command is documented as a simple operation without cautionary language about permanent asset removal or validation steps. Because this skill is designed for full content pipeline automation, an agent could remove the wrong image at scale or break slideshow generation inputs, causing data loss and workflow disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document gives direct posting instructions and requires persistent logging of post IDs, account IDs, captions, hooks, and analytics data, but provides no consent, confirmation, or privacy warning before publishing or recording identifiers. In an agent skill, this can cause unintended real-world actions and collection of potentially sensitive operational/account data without adequate user awareness or approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a bulk destructive operation (`delete-posts`) with no warning about irreversible effects, no recommendation to verify target IDs, and no mention of confirmation or dry-run safeguards. In an automation skill for managing social media content at scale, this increases the likelihood of accidental or scripted mass deletion of posts, especially when invoked by agents or users relying directly on examples.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes a destructive `delete` operation with no warning, confirmation guidance, or mention of irreversibility. In an automation skill that manages social-media content pipelines, this increases the chance of accidental or scripted deletion of assets or drafts, especially if an agent invokes commands directly from docs without adding safety checks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly supports sending externally hosted image, video, audio URLs and speech text to the Partner API, but it provides no warning that this may transmit personal, proprietary, or sensitive content to Genviral and potentially downstream model providers. In an AI media-generation context, users may unknowingly submit third-party or regulated data, creating privacy, compliance, and data-handling risk rather than a direct code-execution issue.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup guide tells users to export an API key containing a secret but does not warn against exposing it in logs, shell history, screenshots, commits, or shared workspace files. In an agentic environment, missing secret-handling guidance materially increases the chance of credential leakage and subsequent unauthorized access to connected Genviral accounts and operations.

Self-Modification

High
Category
Rogue Agent
Content
scripts/
    genviral.sh             # 42+ commands wrapping every Partner API endpoint
    update-skill.sh         # Self-updater (keeps skill files current, never touches workspace/)

  prompts/
    slideshow.md            # Prompt templates for slideshow generation
Confidence
95% confidence
Finding
Self-update

Self-Modification

High
Category
Rogue Agent
Content
scripts/
    genviral.sh             # Main API wrapper (all commands)
    update-skill.sh         # Self-updater
```

## Command Routing
Confidence
97% confidence
Finding
Self-update

Self-Modification

High
Category
Rogue Agent
Content
## Auto-Updates

This skill includes a self-updater that keeps skill-owned files in sync with the latest version from `fdarkaou/genviral-skill`.

```bash
bash scripts/update-skill.sh           # check + apply if updates available
Confidence
98% confidence
Finding
self-update

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal