ClawHub

asdsadasd

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent with its Facebook auto-posting purpose, but it ships live-looking credentials and can post directly to a Facebook page without strong safeguards.

Review before installing. Remove and rotate all bundled keys and Facebook tokens, verify the Page ID is yours, use least-privilege Facebook permissions, keep dry-run as the default during testing, and avoid running publish or test-post commands until you are ready for a real public post.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises substantial capabilities that require environment access, filesystem I/O, and network communication, but it does not declare corresponding permissions. This creates a transparency and governance gap: users and platforms cannot accurately assess what the skill can access before use, which increases the risk of unexpected data handling or outbound actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates the actual behavior by omitting sensitive functions such as token handling, scraping Facebook content, image generation, scheduling, and analytics retrieval. When a skill's description is materially narrower than its real capabilities, users may authorize or run it without understanding it can access credentials, collect additional data, or perform broader actions than expected.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The README exposes live-looking credentials and identifiers, including an OpenAI key fragment, an Apify token fragment, and Facebook App/Page IDs. Even partial or example-looking secrets in public documentation can enable unauthorized use, assist token stuffing or reconnaissance, and strongly suggest unsafe secret-handling practices in a production automation pipeline.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The test-post path allows direct publishing to Facebook without requiring article crawl/rewrite context, creating a generic posting primitive separate from the skill's stated purpose. If exposed to untrusted users or misused operationally, it can be used to publish unauthorized content, cause reputational harm, or bypass workflow checks intended for article-based posts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place Facebook access tokens into `.env` while also stating that some app credentials are already present, which normalizes insecure handling of sensitive authentication material. In a skill that automates posting to a live Facebook page, poor token hygiene increases the risk of account compromise, unauthorized publishing, and accidental credential leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README provides commands for real posting and scheduled publishing to a Facebook Fanpage without a prominent warning that execution can publish live content. In the context of an end-to-end autonomous content pipeline, this raises the risk of accidental unauthorized posts, reputational damage, spam policy violations, or misuse if run by an unsuspecting operator.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Publish mode can post directly to a live Facebook Page, but the skill text does not present this as a prominent safety warning. Without a clear warning and confirmation boundary, a user may unintentionally trigger real-world external actions that affect public-facing accounts and brand reputation.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup instructions list sensitive API keys and Facebook credentials without guidance on secure storage, least privilege, rotation, or log redaction. This increases the chance that operators mishandle secrets, commit them to source control, or expose them through debugging and reporting workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes long-lived user tokens and page access tokens to a local JSON file in plaintext. These credentials can be reused to manage Facebook pages, so storing them on disk without explicit consent, restrictive permissions, or secure storage increases the chance of accidental disclosure through local compromise, backups, logs, or source-control mistakes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The agent sends scraped article text plus metadata such as URL, title, description, and author to a third-party Gemini API without any visible consent gate, redaction step, or policy enforcement in this file. If scraped content contains personal data, confidential text, copyrighted material, or sensitive internal URLs, that data is exfiltrated to an external processor, which creates privacy, compliance, and data-handling risk.

Credential Access

High
Category
Privilege Escalation
Content
)
    console.print(table)

    # Save to .env hint
    console.print("\n[bold green]✅ XONG! Cập nhật .env:[/bold green]")
    for page in pages:
        console.print(f"\nPage: [bold]{page.get('name')}[/bold] (ID: {page.get('id')})")
Confidence
88% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal