ClawHub

Social Push Semi

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it says posting remains manual, but bundled scripts include live publish, comment, and account-data actions through a logged-in browser session.

Review before installing. Use only the documented preview wrappers, use a dedicated Xiaohongshu account/profile, keep CDP bound to localhost, inspect the filled post manually before publishing, and avoid the bundled direct publish, comment, notification, analytics, and account-reset commands unless you explicitly intend those live account actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file presents itself as a semi-automatic publisher, but it also exposes broader capabilities for feed discovery, feed-detail extraction, commenting, mentions capture, and creator analytics export. This capability mismatch is dangerous because operators may grant trust, credentials, and browser access for publishing while the same tool can also perform surveillance and interaction workflows far beyond that stated purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code includes active engagement actions such as posting comments, and also contains like/collect helpers that can perform state-changing social actions under the logged-in user's account. In a skill marketed as a publishing scaffold, these hidden engagement capabilities increase the risk of unauthorized interaction, spammy behavior, account abuse, and reputational damage if invoked by another component or user without realizing they exist.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script captures notification mentions and creator analytics data using the authenticated browser session, which extends it from publishing automation into account monitoring and data collection. This is dangerous because it broadens access to potentially sensitive account activity and performance data beyond the user’s likely expectation from a semi-automatic publishing tool.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file-level behavior and CLI usage explicitly state that publishing occurs immediately by default, which conflicts with the skill's declared semi-automatic/manual-confirmation purpose. In this context, that mismatch is security-relevant because an agent or operator expecting a review step could unintentionally trigger irreversible posting to a live social account.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation sets should_publish = not args.preview and then calls publisher._click_publish(), so any invocation without --preview results in a live publish action. For a skill advertised as '半自动发布' with final human confirmation, this creates an unsafe default that can cause unauthorized or accidental publication of generated content.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module documentation normalizes immediate publishing as the default workflow, reinforcing the unsafe behavior and making misuse more likely by callers, maintainers, or downstream agents. In an automation skill for social posting, misleading documentation materially increases the chance that users will run a live-posting path when they believed the tool only staged a draft for manual confirmation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description omits a clear warning that it will generate local publishing artifacts and may automatically prefill a browser page via CDP. In a browser-automation and content-publishing context, missing disclosure can cause users to connect a logged-in account or local workspace without understanding the automation and data-handling implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends user-provided topic, audience, and image-description content to a third-party API endpoint to generate images, but it does not present any explicit notice, consent step, or data-handling warning before transmission. In this skill’s context, users may input sensitive business plans, personal attributes, or account-targeting information for social media posts, so silent outbound sharing creates a real privacy and compliance risk even if the feature is intentional.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The comment-posting path performs an immediate state-changing action after filling content and clicking submit, without any final confirmation step or interactive warning. Because comments are public actions tied to the authenticated account, accidental or indirect invocation can cause unintended posts, spam, and trust or policy violations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The login/re-login/switch-account flows clear cookies and local/session storage, which is a destructive account-state operation that can sign the user out and affect unrelated sessions in the attached browser profile. Without a strong warning or scoped isolation, users may unintentionally lose session state or disrupt other work in the same Chrome instance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal