ClawHub

IG Comment Strategist

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s email-report feature appears purpose-aligned, but it under-explains that reports and related data may leave the local environment through SMTP/email.

Install only if you are comfortable with report contents being sent through your SMTP provider and stored in mail systems. Use app passwords or a secret manager, avoid hardcoding SMTP credentials, enable TLS, send only to trusted recipients, and prefer local-file output for sensitive analyses.

SkillSpector (3)

By NVIDIA

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes emailing analysis reports and using SMTP credentials but provides no warning about sending potentially sensitive content over email or about securely handling mail credentials. In a tool that processes third-party social media URLs and generates reports, this can lead users to transmit data broadly, store credentials unsafely, or expose account access if SMTP secrets are mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises email reports but does not disclose that analysis results and possibly user-supplied URLs or derived content will be transmitted to an external email system via SMTP. This creates a privacy and data-handling risk because users may assume processing is local and may unintentionally exfiltrate potentially sensitive campaign, account, or content-analysis data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start command actively instructs users to send analysis results by email without any notice about external transmission, retention, or privacy implications. Because quick-start examples are often copied verbatim, this omission materially increases the chance of accidental disclosure of analysis output and related metadata to third-party mail infrastructure.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal