ClawHub

Clawnote

Security checks across malware telemetry and agentic risk

Overview

Clawnote is a disclosed review-first content workflow that prepares Xiaohongshu drafts and only supports live publishing after explicit approval.

Install only if you want a workflow that creates local draft and memory files, uses Feishu review identifiers from your environment, and can call your own Xiaohongshu publishing toolkit after explicit live-publish confirmation. Keep deletion and publishing confirmation-based, verify any cron setup yourself, and ensure the local toolkit and login state belong to the account you intend to use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to read files and use bundled Python scripts, which implies file, environment, and shell capabilities, but it does not declare permissions explicitly. This creates a mismatch between the skill's documented trust boundary and its effective execution surface, making it easier for an agent or reviewer to underestimate what the skill can access or modify.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt broadly invokes the skill for creating a Xiaohongshu workflow without clearly constraining when the agent should activate it. In combination with an agent ecosystem that supports tool or skill routing, this can cause overbroad or unintended activation, pulling the model into content-generation and publishing workflows when the user did not explicitly request this skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Enabling implicit invocation without a narrowly defined activation context increases the chance that the skill is auto-selected during loosely related requests. Because this skill handles review, approval, and optional publishing workflows, accidental activation could steer the assistant into sensitive operational actions or generate publish-ready content without sufficiently deliberate user initiation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The delete example uses a natural-language command to remove a note based only on title and timestamp, without any explicit scope restriction, unique identifier, or confirmation step. In a content-operations skill that may act on publishing systems, this can lead to accidental deletion of the wrong post if parsing is ambiguous, metadata is duplicated, or the command is replayed against the wrong account or workspace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents a destructive delete action without any warning that it is irreversible or operationally risky. Because this skill is explicitly designed for repeatable content workflows, normalizing deletion as a simple command increases the chance that users or downstream agents invoke it casually, causing avoidable content loss or operational mistakes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal