ClawHub

Genviral

Security checks across malware telemetry and agentic risk

Overview

This social-media automation skill is mostly purpose-aligned, but its self-updater can replace reviewed skill code from GitHub and its cron examples can post unattended to connected accounts.

Review before installing. Use only with a Genviral account you intend to let an agent manage, disable or avoid the self-updater unless you manually review diffs, do not schedule unattended posting until account targets and privacy settings are verified, and treat GENVIRAL_API_KEY and any GitHub token as sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions while clearly requiring shell execution through bash, curl, and jq. This can cause the host or user to underestimate the skill's capabilities, reducing informed consent and weakening policy enforcement around command execution and network access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill description presents broad social-media automation, but omits materially sensitive behaviors such as self-updating from GitHub, subscription inspection, trend intelligence calls, and Studio AI generation endpoints. Hidden or under-disclosed behaviors are dangerous because users may authorize the skill without realizing it can modify itself or invoke additional external services beyond posting workflows.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script implements a self-update mechanism that pulls executable skill content from a remote GitHub repository and replaces local files automatically. In an agent-skill context, this is dangerous because the effective behavior of the skill can change after review, enabling silent supply-chain compromise or post-install introduction of malicious prompts/scripts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The updater reads GitHub credentials from GITHUB_TOKEN or the gh CLI and sends an Authorization header to GitHub for update checks. Although the intent appears operational rather than overtly malicious, accessing ambient credentials for a self-update path expands the trust boundary and can leak or misuse repository-scoped credentials in functionality unrelated to the skill's stated social-media automation purpose.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises capabilities to post content to external social media accounts and to update local skill files, but it does not prominently warn that these actions can have real-world side effects. In an agent skill context, missing explicit confirmation and safety guidance increases the risk that a user or autonomous agent invokes posting or update commands without understanding they will affect external accounts or modify the local installation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill can publish or schedule content across multiple external platforms and persist user/business data under workspace/, but the description does not prominently warn about these irreversible and privacy-relevant effects. In this context, incomplete disclosure is risky because accidental posting or retention of brand, account, and performance data can have operational and reputational consequences.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The documentation tells users to export a full API credential in a shell command but provides no guidance about secret handling, shell history, or safer credential-loading practices. In an automation skill that manages partner API access across multiple social platforms, this increases the chance of accidental credential exposure through terminal history, shared shells, screenshots, or copied setup commands.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes a destructive `delete-pack` command with no warning about irreversible data loss, no recommendation for confirmation prompts, and no guidance to verify pack identity before deletion. In an automation-focused skill that manages content pipelines across platforms, this increases the likelihood of accidental or scripted deletion of user assets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The `delete-pack-image` command removes user-managed content but the docs do not warn that the action is destructive or suggest validating the image and pack IDs first. Because this skill is designed for bulk content automation, omission of deletion safety guidance can lead to accidental loss of slideshow assets and broken generation workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The pipeline includes commands that publish or draft content to external social platforms without an explicit warning, confirmation, or approval checkpoint. In an agentic workflow, this can cause unintended external actions, accidental posting to real accounts, reputational harm, and misuse of connected social media credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes a bulk destructive operation (`delete-posts`) without any warning, confirmation guidance, or emphasis on irreversible consequences. In an automation-focused CLI skill, users or downstream agents may invoke this command programmatically or by copy-pasting examples, increasing the chance of accidental mass deletion of posts and operational disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation encourages use of external `image-url`, `video-url`, and `audio-url` inputs but does not warn that those remote references will be fetched by the Partner API and/or upstream generation providers. This can expose private or signed URLs, trigger server-side requests to attacker-controlled hosts, and cause users to unknowingly transmit sensitive media locations or internal network endpoints to third parties.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cron setup enables autonomous generation, posting, analytics collection, and local file modification on a schedule, but it does not prominently require explicit user consent, approval gates, or a clear warning that external social accounts and local workspace data will be affected without further interaction. In this skill context, that is materially risky because the actions target real third-party accounts and can publish content, alter strategy files, and change operational state unattended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script downloads and overwrites local skill files from a remote repository with no confirmation, integrity verification, or trust-on-first-use protections beyond HTTPS. In a skill environment, that allows remote content changes to alter executable scripts and prompt files silently, turning any upstream compromise or malicious commit into local code execution or behavioral manipulation.

Self-Modification

High
Category
Rogue Agent
Content
scripts/
    genviral.sh             # Main API wrapper (all commands)
    update-skill.sh         # Self-updater
```

## Command Routing
Confidence
95% confidence
Finding
Self-update

Self-Modification

High
Category
Rogue Agent
Content
## Auto-Updates

This skill includes a self-updater that keeps skill-owned files in sync with the latest version from `fdarkaou/genviral-skill`.

```bash
bash scripts/update-skill.sh           # check + apply if updates available
Confidence
97% confidence
Finding
self-update

Self-Modification

High
Category
Rogue Agent
Content
--cron "0 6 * * *" \
  --tz "YOUR_TIMEZONE" \
  --session isolated \
  --message "Run the genviral skill self-updater: bash scripts/update-skill.sh. It will check for updates to SKILL.md, scripts/, and docs/ from the upstream repo and apply them. Never touches workspace/. Report what was updated or confirm already up to date." \
  --announce
```
Confidence
97% confidence
Finding
self-update

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal