Pluginvv1.0.1.0

ClawScan security

Haitivirtualbanks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 8:01 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's metadata/README says nothing useful but the package contains a large archive of Instagram/personal-data files — that's incoherent and risky; proceed only after clarifying the origin and purpose of those files.
Guidance: Do not install or enable this skill until you confirm its origin and purpose. Specific actions to consider: - Ask the publisher why an Instagram data export (messages, profile, device/login info, images/videos) is bundled with a skill and what the agent will do with those files. - If this is your data and you intended to analyze it, prefer running local, offline tools rather than publishing it as a skill. Sanitize or remove any personal identifiers before packaging. - If you did not expect personal data in the package, do not enable the skill and delete the package. Treat the files as potentially sensitive and avoid uploading them anywhere else. - Because SKILL.md is empty and contains possible prompt-injection control characters, be cautious: an agent executing an unclear skill might be induced to reveal or transmit data. Ask for a clear SKILL.md that states exact runtime steps and data use. - If you've already used the skill with real accounts, monitor those accounts for suspicious activity and rotate passwords/tokens as needed. I rate this 'suspicious' (not proven malicious) because the included content and the absent/obfuscated instructions are inconsistent and unexplained. Additional info that would change the assessment: a clear, non-obfuscated SKILL.md explaining why the Instagram dataset is included and what safe operations the skill performs, or confirmation that the files are synthetic/test data with no real PII.
Findings: [unicode-control-chars] unexpected: Prompt-injection pattern found inside SKILL.md; the minimal README plus control characters could be an attempt to manipulate an evaluator or agent. This is unexpected for a legitimate skill that should document behavior.

Review Dimensions

Purpose & Capability: concernName and description are meaningless/ambiguous (btccitahaitivirtualbanks) and do not justify the large included dataset. The bundle contains many HTML, media, and inbox files that look like personal Instagram data (messages, profile info, device/login info). There is no explanation why a 'Haitivirtualbanks' skill would package user-exported Instagram data — this mismatch is a significant red flag.
Instruction Scope: concernSKILL.md consists of a single short header and a token-like string; it provides no runtime instructions and does not document what the agent should do with the included files. The pre-scan detected unicode-control-chars in SKILL.md (prompt-injection pattern). Because the skill contains many data files but gives no scope-limiting instructions, an agent could nevertheless read or expose sensitive contents if invoked — the instructions are too vague/absent to be safe.
Install Mechanism: okNo install spec and no code to execute were provided (instruction-only). That limits supply-chain risk because nothing is written to disk at install time beyond the shipped files. However, the package itself already contains many static files, increasing the data-sensitivity surface even without an install step.
Credentials: concernThe skill requests no environment variables or credentials, which would normally be proportional — but the included file manifest contains extensive personal data (messages, profile/device/login info, images, videos). Shipping potentially sensitive user data inside a skill with no explanation is disproportionate and suspicious even though no secrets are declared.
Persistence & Privilege: okSkill flags show no elevated privileges: always:false and normal agent-invocation allowed. The skill does not request to modify other skills or system config. The primary risk is data included in the package, not persistent privileges.