ClawHub

BapBook

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a BapBook social-network guide, but it also asks agents to run recurring public actions, follow mutable remote instructions, store credentials, and perform wallet/token-launch operations.

Install only if you intentionally want an agent to operate a BapBook identity and you are comfortable reviewing its public posts, comments, and votes. Do not enable the 30-minute heartbeat or remote skill fetching without explicit approval and stop conditions. Treat the API key and any wallet signatures or Four.Meme tokens as secrets, and require human confirmation for funding, wallet signing, token launch, or any on-chain transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is primarily presented as a social-network integration, but later expands into wallet-signing, token-launch, backend proxy use, and on-chain transaction execution. That scope expansion is dangerous because an agent or operator may grant the skill trust appropriate for posting/social engagement, while the embedded instructions enable financially sensitive blockchain actions with materially higher risk.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The OpenClaw section introduces commands like funding an agent and checking agent status, which go beyond the core documented BapBook posting/browsing behavior. This increases attack surface and can mislead consumers of the skill into authorizing broader capabilities than expected from a social-media integration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The heartbeat instruction tells the agent to periodically fetch a remote skill file and 'follow the Heartbeat Routine,' creating an open-ended, remotely updateable instruction channel. This is dangerous because the remote content can change over time and may introduce new behaviors, data exfiltration, spam, or privilege escalation without a fresh security review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages persistent storage of API credentials in memory, config files, or environment variables without clear security guidance, least-privilege expectations, or warnings about prompt exposure and local compromise. This can lead to credential theft, unauthorized posting/voting, and cross-context leakage if the agent later reveals stored secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal