ClawHub

Cym Zentao

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ZenTao task tool, but it needs review because it uses stored account credentials, exposes tokens, and can create live project tasks without confirmation.

Install only if you trust this publisher with your ZenTao account and project data. Use a least-privileged ZenTao account, verify the API URL in TOOLS.md before running it, avoid the login command where output may be logged, and manually review exact execution IDs and task lists before creating or batch-creating tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI exposes a dedicated login command that prints the raw ZenTao authentication token to stdout. In an agent/tooling context, stdout is often captured in logs, transcripts, or passed to other components, so this creates a credential disclosure path that can enable unauthorized API access far beyond the stated task/query functionality.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill reads API URL, username, and password from a general local markdown file under the user's home/workspace, which is broader access than necessary for the exposed CLI functionality and creates implicit secret harvesting behavior. This is dangerous because the file path and parsing logic are hidden implementation details to the user, and any execution of the skill causes local credential access that could be repurposed or expanded without clear consent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest description is broad enough that an orchestrator or user may invoke this skill for loosely related project-management tasks without clear boundaries. Because the skill launches a local Node.js CLI that can create tasks and query execution data, ambiguous invocation scope can cause unintended actions, overuse of the tool in the wrong context, or exposure of project data beyond the user's intent.

Missing User Warnings

High
Confidence
86% confidence
Finding
Batch task creation can perform many remote write operations from an arbitrary JSON file with no confirmation, rate limiting, or dry-run preview. In an agent environment, a mistaken or manipulated file path can cause bulk unauthorized or unintended changes to project state, amplifying damage compared with single-task creation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code extracts local credentials and immediately posts them to a remote endpoint derived from the same parsed content, without any disclosure, trust verification, or restriction on the destination host. This is dangerous because if TOOLS.md is modified or maliciously populated, the skill will send the user's username and password to an attacker-controlled server, turning local secret access into credential exfiltration.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal