ClawHub

multi-writing-skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a real multi-platform writing and publishing tool, but it needs Review because it handles account cookies, sends drafts to external services, and can publish or disguise AI-written content with limited safeguards.

Install only if you are comfortable giving the tool publishing access to real WeChat, Zhihu, and Toutiao accounts and sending drafts or prompts to configured AI providers. Prefer test accounts, avoid storing browser cookies in plaintext config, review every generated or converted article before publication, and do not use the de-tracing feature to bypass platform disclosure or authorship rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to extract and configure sensitive credentials, including browser cookies for Zhihu and Toutiao, and then use them to automate publishing. This creates real security risk because session cookies can grant full account access if mishandled, and the documentation does not warn about secure storage, least privilege, credential rotation, or the trust implications of sending content and tokens to external services.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad natural-language descriptions that can match many loosely related user requests, increasing the chance the skill activates when the user did not intend to publish, transform, or invoke AI features. In a skill that can perform external publishing and CLI-backed actions, ambiguous triggering raises the risk of unintended side effects such as draft creation, content conversion, or outbound operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises multi-platform publishing, AI processing, and CLI usage but does not clearly warn users that content may be sent to third-party platforms, written to files, or created as remote drafts. This lack of transparency is dangerous because users may provide sensitive or unpublished content without understanding that invoking the skill could exfiltrate data externally or mutate local/remote state.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The tutorial instructs users to set platform credentials and perform publishing-related actions but does not prominently warn about secret handling, local file permissions, shell history exposure, or the risk of unintended posting to real accounts. In a skill context that encourages natural-language automation, this increases the chance users disclose secrets unsafely or trigger external side effects without adequate caution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The save() method serializes sensitive values including app secrets, API keys, and platform cookies into a plaintext YAML file under the user's home directory. Storing reusable credentials on disk increases exposure to local compromise, backups, accidental sharing, or overly permissive file permissions, especially since there is no permission hardening or user warning before persistence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When use_api is enabled, the code sends the full Markdown content to a third-party or user-specified endpoint via httpx without any consent, warning, allowlist, or data-classification guard. Markdown often contains unpublished drafts, credentials, internal links, or embedded image URLs, so this creates a real confidentiality risk through external transmission.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The converter sends user-provided Markdown and prompts to third-party AI providers, which can expose sensitive or proprietary content if users are not clearly informed. In this skill context, external transmission is core functionality, but the lack of disclosure/consent and absence of data-handling safeguards makes it a real privacy and compliance risk rather than a code-execution flaw.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The converter sends full markdown content and title to a remote endpoint, which can expose sensitive draft content, secrets, or personal data to third-party services. In this skill context, that transmission is the feature itself, but the code provides no consent, trust boundary documentation, allowlist, or controls to prevent accidental exfiltration to arbitrary endpoints.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function fetches CSS from arbitrary http/https URLs, which introduces server-side request forgery risk and unintended outbound network access if an attacker can influence css_path. In this skill context, remote CSS is then parsed and transformed into inline styles, so a malicious URL could be used to reach internal services or pull untrusted content into the rendering pipeline.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The helper function and underlying implementation transmit user-provided content to third-party AI endpoints and require an API key, but the file contains no consent, disclosure, redaction, or policy guardrails. In a writing skill, users may supply sensitive drafts, credentials, or proprietary text, so silent external transmission creates a real confidentiality and compliance risk even if the feature is intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code decodes remote image data and writes it to a NamedTemporaryFile with delete=False, leaving a persistent file on disk without cleanup or user disclosure. This can expose sensitive generated content to other local users, backups, or later processes, especially on shared systems or when prompts/images contain confidential material.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function sends the full user prompt to Google's external Gemini API, which is a real data-exposure risk if prompts may contain private, regulated, or proprietary information. In an agent skill context, users may not realize their input is leaving the local environment, making the lack of explicit disclosure and consent more dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code accepts arbitrary HTTP/HTTPS URLs for `image_path`, fetches them server-side, and then uploads the retrieved bytes to WeChat. This creates SSRF-style behavior and unintended data exfiltration risk because an attacker or untrusted input can cause the service to access internal resources or transmit third-party/internal content to an external platform without validation or disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The upload flow accepts arbitrary http/https URLs, fetches them server-side, and then re-uploads the bytes to Zhihu. If an attacker can influence image_path, this creates an SSRF-style primitive and unintended data-transfer path that could be used to access internal resources or exfiltrate fetched/local content to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-provided topic, context, content, and titles are sent to an external AI provider, but this file provides no disclosure, consent flow, or data-minimization controls. In a writing assistant context, users may submit sensitive drafts, proprietary text, or personal information, creating a real privacy and compliance risk when transmitted off-system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically publishes a draft immediately after creation if the draft succeeds, with no confirmation, dry-run mode, or interactive safeguard. In a testing context this can still cause unintended public posting to a live Zhihu account when valid credentials are present, creating reputational and operational risk.

Ssd 2

Medium
Confidence
97% confidence
Finding
This section explicitly frames 'AI 去痕' as a way to alter content so it is less likely to be detected as AI-generated, which is evasion guidance rather than neutral editing assistance. That can facilitate policy circumvention on publishing platforms and misrepresentation of authorship, especially when embedded as a supported skill capability.

Ssd 2

Medium
Confidence
96% confidence
Finding
The natural-language example maps a user request to 'make it read more naturally' directly into an automated humanize command, reinforcing concealment of AI origin through a low-friction interface. Because the skill advertises automatic command execution from benign phrasing, it lowers the barrier to misuse and makes evasion behavior easier to invoke at scale.

Ssd 2

Medium
Confidence
95% confidence
Finding
The full workflow includes an explicit step to 'humanize' AI-produced content immediately before publication, presenting evasion as a normal part of the publication pipeline. This operationalizes deceptive use by combining generation, concealment, and publishing in one documented flow.

Ssd 2

Medium
Confidence
94% confidence
Finding
The skill metadata advertises AI '去痕' as an automatic trigger condition, meaning the agent may invoke evasion-oriented behavior from user intent without an additional safety gate. In skill metadata, this is more dangerous than a passive mention because it wires the behavior into automated orchestration.

Ssd 4

Medium
Confidence
87% confidence
Finding
User-controlled topic, context, and especially rewrite content are interpolated directly into one natural-language prompt without strong delimitering or role separation. This allows prompt-injection style instruction takeover, where embedded text can steer the model away from the intended transformation task, potentially causing policy bypass, data mishandling, or untrusted output in downstream workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal