ClawHub

AI全链路内容工坊

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent content automation tool, but it needs review because it can publish to real public accounts without a clearly enforced approval step.

Install only if you trust the dependent publishing skills and are comfortable connecting real WeChat and Xiaohongshu accounts. Configure it for draft or preview output by default, require explicit confirmation for each platform before posting, keep credentials in a secure secret store with minimal scopes, and avoid scheduled live publishing unless there is a separate human review gate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The metadata claims human review is required for publishing, but the workflow itself proceeds to an automatic publish step without any explicit approval gate, condition, or pause. This mismatch can cause operators or downstream systems to trust that review will occur when in practice content may be posted automatically to external platforms.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes automated publishing to public platforms and user-linked accounts, but it does not clearly warn that execution can create or modify public content on behalf of the user. In an agentic workflow, this omission is dangerous because users may authorize or trigger posting without understanding reputational, compliance, or account-level consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad, natural-language commands that can overlap with ordinary user requests, increasing the chance the skill activates unintentionally. In a skill that performs multi-step content generation and publication, accidental triggering can cause unwanted downstream actions, including drafting or publishing content without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises a one-command workflow that ends in automatic publishing to external platforms, but it does not prominently warn that this changes external account state and may expose brand, business, or personal accounts to unintended posts. In this context, the absence of strong consent and review controls is dangerous because the skill operates across multiple platforms and can amplify the impact of a mistaken or malicious invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to configure platform API credentials and backend authorization but does not explain that these are sensitive secrets requiring secure storage, least-privilege scopes, and non-disclosure. Because the workflow integrates publishing tools for real external accounts, poor credential handling could lead to account takeover, unauthorized publishing, or abuse of connected services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow declares automatic publishing to external platforms but provides no user-facing confirmation, warning, or opt-in control in the manifest. In a high-automation content pipeline, this raises the risk of accidental posting, reputational harm, and unintended disclosure of generated or sensitive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal