Is clawdbot-backup safe?

https://clawhub.ai/Sebastian-Buitrag0/clawdbot-backup

62
CAUTION

The skill 'chirp' is published under the misleading slug 'clawdbot-backup', which is a social engineering concern — users expecting backup functionality would instead get a Twitter/X browser automation tool. While the skill contains no malicious code, install-time threats, or data exfiltration mechanisms, it instructs the agent to perform publicly visible, irreversible social media actions (posting, liking, following) on the user's authenticated Twitter account with minimal confirmation guardrails. The combination of deceptive naming and broad social action surface warrants caution.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (6)

HIGH Slug-to-skill name mismatch indicates potential deception -30

The skill is installed under the slug 'clawdbot-backup' but the actual skill is named 'chirp' and provides X/Twitter browser automation. Users installing 'clawdbot-backup' would reasonably expect backup functionality, not social media control. This naming discrepancy is a social engineering red flag that could trick users into granting social media access without informed consent.

MEDIUM Broad social media action surface without per-action confirmation -15

The skill instructs the agent to post tweets, like content, repost, follow users, and reply — all publicly visible actions on the user's authenticated Twitter account. While there is a note to confirm tweet content before posting, there are no similar guardrails for likes, reposts, follows, or replies. An agent following these instructions could take irreversible social actions without explicit user approval.

LOW Primary instructions in Korean may obscure behavior -5

The bulk of the skill's instructions are written in Korean while the English frontmatter description is brief. Users who don't read Korean may not fully understand what the skill instructs the agent to do, reducing informed consent.

MEDIUM Timeline and profile data exposed to LLM context -20

The skill reads Twitter timeline content, user profiles, and search results via browser snapshots. This data enters the LLM context window and could be accessed by other skills or leaked through model responses. While necessary for the stated functionality, the data exposure surface is significant given the slug mismatch concern.

MEDIUM Social media automation creates irreversible public action risk -70

If this skill is activated (whether intentionally or through the misleading slug name), the agent can take publicly visible, irreversible actions on the user's Twitter account including posting tweets, following accounts, and engaging with content. Combined with the deceptive naming, this creates a significant risk of unauthorized social media activity.

INFO No executable code present 0

The skill contains only a SKILL.md instruction file and metadata JSON files. No scripts, hooks, or executable code is present.