ClawHub

小红书笔记搬运

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated reposting purpose, but it can publish to live Facebook and WordPress destinations with weak confirmation and scoping controls.

Install only if you control the target Facebook page and WordPress site and are comfortable granting posting authority. Before use, change WordPress publishing to draft or require an explicit confirmation flag, verify destination account IDs, use least-privilege tokens, review exactly which files are in /tmp/openclaw/uploads, and avoid running the GUI upload automation unless the target dialog is visibly correct.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs use of network access, local file reads/writes, shell execution, and likely credential use, yet declares no permissions. This under-specifies its actual capabilities, preventing meaningful consent and policy enforcement for actions like downloading content, storing it locally, and publishing it externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The manifest description understates the full behavior: the skill downloads remote media, stores content persistently, stages files in a temp upload directory, uses shell commands, and publishes to WordPress via API. This mismatch can cause users or reviewers to underestimate data handling and outbound transmission risks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The osascript/System Events automation controls a macOS file picker through synthetic keystrokes, which is a broad local GUI automation capability beyond simple content transfer. Such automation can interact with sensitive dialogs or unintended windows if focus changes, enabling unauthorized local actions or accidental data exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs use of arbitrary shell commands for remote download and image conversion, which introduces general command-execution capability not bounded by a safer abstraction. Combined with remote URLs and local file output, this increases the risk of unsafe command modification, unintended file writes, and broader abuse of the host environment.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The reference document includes concrete shell commands for downloading remote images with a forged Referer header and macOS UI automation via osascript to drive file-picker dialogs. In a skill whose purpose is cross-platform content reposting, these capabilities expand the operational scope into filesystem manipulation and desktop automation, which can enable unintended local actions, brittle automation against privileged UI, and misuse of third-party content without clear safeguards.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README describes an automation flow that downloads third-party content locally and republishes it to Facebook and WordPress, but it does not warn users about external data transfer, reposting effects, account actions, or consent/copyright implications. In an agent skill, missing disclosure around automated cross-platform posting increases the risk of unintended publication, privacy violations, and misuse of connected accounts.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger description is broad enough that ordinary requests about reposting or publishing content could activate the skill unexpectedly. Overbroad activation is dangerous here because the skill performs local storage, remote downloads, and external publication, so accidental invocation can lead to unintended data handling or posting.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs posting content to WordPress using a bearer token but does not clearly warn that user data will be transmitted to an external service and published. This lack of disclosure is especially risky because publication is irreversible in practice and may expose credentials or sensitive content if misused.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill persistently stores downloaded content in a user Downloads path without clearly warning about local data retention, naming exposure, or filesystem privacy implications. Sensitive or copyrighted material could remain on disk longer than intended and be accessible to other local processes or users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs users to run a destructive `rm -rf /tmp/openclaw/uploads/*` command before publishing, but provides no safety guardrails such as path verification, existence checks, or warnings about accidental data loss. In an automation skill, normalizing manual destructive cleanup increases the chance an operator copies, adapts, or mis-executes the command and deletes unintended files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented workflow automates downloading, copying files into a temp upload directory, and publishing to Facebook and WordPress without any warning, approval gate, or discussion of consequences. This is dangerous because it can cause unauthorized or accidental posting to external accounts and unintended local file operations, especially since the skill is explicitly designed to republish content across platforms.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function unconditionally deletes all regular files in a fixed upload directory before copying new images, with no confirmation, isolation, or validation that the directory is dedicated to this run. In an automation skill that republishes content, this can cause unintended data loss or interference with concurrent jobs if other files are present in the shared path.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script reads arbitrary file contents from a user-supplied path and immediately transmits them to WordPress without any confirmation, preview, or explicit disclosure at runtime. In an agent or automation context, this increases the risk of accidental publication of sensitive local content if the wrong file is passed or if upstream tooling supplies unexpected input.

External Transmission

Medium
Category
Data Exfiltration
Content
**REST API**

```bash
curl -X POST "https://public-api.wordpress.com/wp/v2/sites/252834205/posts" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
97% confidence
Finding
curl -X POST "https://public-api.wordpress.com/wp/v2/sites/252834205/posts" \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal