ClawHub

Atlassian Bitbucket Cloud by @altf1be

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but openly documented Bitbucket automation skill; users should install it only with narrowly scoped Bitbucket credentials.

Use a dedicated Atlassian API token with only the scopes needed for your workflow. Avoid granting account-level SSH/GPG, addon, permission-admin, runner, or variable scopes unless you intend to use those commands. Do not paste real secrets or private keys directly into shared shells, logs, or agent transcripts; prefer safer handling outside command history where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill documentation presents conflicting authentication guidance: setup and manifest require API Token auth, while the Security section states Basic auth with App Passwords. In a high-privilege Bitbucket administration skill, this kind of inconsistency can cause operators to provision the wrong credential type, weaken secret handling assumptions, or keep using legacy credentials longer than intended.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This document shows the skill implements full Bitbucket Cloud REST coverage, including high-risk administrative and identity-management actions such as repository/workspace permission changes, deploy keys, pipeline variables, SSH/GPG keys, webhooks, runners, and project/repo administration. If the manifest or user-facing description understates that scope, operators may grant or invoke the skill without understanding it can modify access control, credentials, automation, and code-hosting state, increasing the chance of over-privileged use and unintended sensitive actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The endpoint list includes GPG key management operations that materially expand the skill’s effective authority beyond the described scope of repository/PR/pipeline CRUD. Undisclosed credential-management capability is dangerous because an agent or user may grant the skill trust it would not otherwise receive, enabling modification of account-level signing credentials.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
User SSH key administration is a highly sensitive account-level capability and is not implied by the advertised Bitbucket object CRUD scope. If exposed through an agent skill without clear disclosure and strict gating, it could be used to add attacker-controlled keys, enabling persistent repository access and account compromise paths.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Project administration and permission-configuration functions extend the skill beyond the user-facing description, creating a mismatch between expected and actual authority. This increases the risk of over-trust and unsafe delegation, since users may invoke the skill believing it only manages common Bitbucket content objects rather than governance settings.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Repository and workspace permission-management endpoints enable direct access-control changes, which are materially more dangerous than ordinary CRUD on repos or pull requests. In an agent context, undisclosed permission administration can be exploited to grant or revoke access, cause privilege escalation, or weaken organizational security boundaries without informed user awareness.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Addon/app-management endpoints fall outside the stated repository-centric Bitbucket CRUD scope and introduce software lifecycle control over installed apps. Even if legitimate, this undisclosed breadth is risky because app update or deletion functions may alter integrations, disable protections, or affect other connected systems.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes SSH/GPG key management operations for arbitrary users, which expands from repository/workspace CRUD into account credential-management. In an agent setting, this materially increases blast radius because the same Bitbucket token can be used to add, modify, or remove authentication material tied to user identities, enabling persistence or account takeover depending on granted scopes.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The user property mutation and deletion endpoints allow generic modification of user-scoped application properties unrelated to the stated repo/PR/pipeline/workspace management purpose. In an automated agent context, these broad account-level write capabilities create unnecessary privilege and can be abused to alter user state or application metadata without a strong business need.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Addon/app administration endpoints are a significant capability expansion beyond the advertised API-token CRUD scope and include destructive operations like deleting an app and linker values. Even though comments note JWT auth is required for most, exposing these commands in the same skill broadens the attack surface and could enable app-level tampering or service disruption if suitable credentials are ever present.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples show sensitive values passed directly on the command line (for example, --value secret123 and --value tok_abc) without any warning. CLI arguments are often exposed through shell history, process listings, logs, transcripts, and agent traces, so this encourages unsafe secret handling in a skill that manages pipeline and workspace credentials.

Missing User Warnings

High
Confidence
87% confidence
Finding
Multiple commands accept raw secret values for pipeline, environment, team, user, and workspace variables and then transmit them directly to Bitbucket. In an agent-driven workflow, this creates a meaningful risk of accidental secret disclosure, misrouting of sensitive values to the wrong scope, or storing credentials in a less protected location than intended.

Missing User Warnings

High
Confidence
94% confidence
Finding
The pipeline SSH keypair update command accepts a private key as a normal CLI argument and sends it to the remote API. Passing private keys on the command line is especially dangerous because they may be exposed via shell history, process inspection, audit logs, or agent transcripts, turning a legitimate feature into a credential leakage vector.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal