ClawHub
Back to skill

Security audit

qwe

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a Facebook Page publishing tool, but it needs review because it handles powerful Page credentials, stores them insecurely, and can make live public posts too easily.

Install only if you control the Facebook app and Page. Before use, verify the token helper authorizes your own Meta app, avoid running fb_publisher_agent.py directly unless you intend to publish the test post, delete or protect fb_tokens_output.json, rotate exposed tokens, and do not provide OpenAI or Apify credentials unless a specific documented workflow actually requires them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises capabilities that imply environment access, file writing, and network operations, but it does not explicitly declare permissions or bound those behaviors. In an agent setting, undeclared capabilities reduce transparency and make it harder for reviewers and operators to understand that the skill can access secrets, write local artifacts, and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose says the skill automates Facebook Page publishing, but the described behavior also includes token exchange, connectivity testing, analytics retrieval, scheduling, and writing token data to disk. This mismatch is dangerous because users may authorize or run the skill expecting simple posting while it actually handles highly sensitive credentials and broader operational actions that expand the attack surface.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is not just a posting helper; it explicitly guides the user to acquire Facebook user credentials, exchanges them into longer-lived tokens, and prepares them for reuse outside the immediate runtime. That expands the skill from publishing into credential acquisition and handling, which materially increases security risk because user and page tokens can be abused to access or act on Facebook assets if exposed.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script prints full long-lived user and page access tokens and exports them for manual placement into .env and a local JSON file. This creates credential exfiltration and persistence paths that are broader than needed for a page-posting skill, making accidental leakage through terminals, shell history, screenshots, local compromise, backups, or source control much more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill lists highly sensitive secrets such as app secret and page access token, and discusses token-management workflows, but does not present a prominent user-facing warning about the sensitivity and risk of exposing those credentials. In this context, mishandling these values could allow unauthorized posting, account abuse, or takeover of Page automation workflows.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code writes sensitive long-lived user and page access tokens to fb_tokens_output.json on disk, and the warning appears only after the write occurs. Storing bearer tokens in plaintext creates an immediate compromise risk because anyone or any process with filesystem access can reuse them to manage pages and potentially access associated Facebook resources.

Credential Access

High
Category
Privilege Escalation
Content
## Security
- Never log tokens or app secrets
- Store all secrets in .env (ignored by git)
- Validate webhook signatures if using webhooks
- Monitor token validity daily with a cron job
Confidence
81% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal