ClawHub

Social Media Suite

Security checks across malware telemetry and agentic risk

Overview

This skill matches a social-posting purpose, but it is incomplete and asks users to store powerful social-media credentials while referencing scripts that are not included.

Install only if you understand this is documentation rather than a complete executable skill. Do not run third-party run.sh, instagram_poster.sh, or youtube_uploader.sh files unless you have reviewed their source. Store any Instagram or YouTube credential files outside shared or synced folders, restrict file permissions, exclude them from version control, and revoke or rotate tokens if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to store long-lived Instagram access tokens and account identifiers in plaintext files under a local credentials directory without any warning about sensitivity, file permissions, or secure storage. If the host is multi-user, the directory is backed up, synced, committed, or otherwise exposed, these tokens could be stolen and used to post content or access connected social media resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The YouTube authentication flow tells the user it will generate a local `youtube_credentials.json` file but does not warn that this file is sensitive OAuth material. Such files may contain refresh tokens or other credentials that allow continued API access, and users may inadvertently leave them in insecure locations, backups, or source control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal