ClawHub

Apify Keys

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Apify key rotator, but it ships live-looking database credentials and can expose or mutate sensitive key records with weak containment.

Install only in a trusted internal ColdCore/Apify environment where the database credential is intentionally available to the agent. Before broader use, remove and rotate the hardcoded database password, require explicit secret configuration, preinstall pinned dependencies, restrict all-key listing and arbitrary token checks, and treat every stdout or JSON output as sensitive credential data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("Installing mysql-connector-python...", file=sys.stderr)
    import subprocess
    subprocess.check_call([
        sys.executable, "-m", "pip", "install",
        "--break-system-packages", "-q", "mysql-connector-python"
    ])
Confidence
93% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "mysql-connector-python" ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("Installing requests...", file=sys.stderr)
    import subprocess
    subprocess.check_call([
        sys.executable, "-m", "pip", "install",
        "--break-system-packages", "-q", "requests"
    ])
Confidence
93% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "requests" ])

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes shell execution, environment-variable access, and network/database interactions, yet no explicit permissions are declared. This creates a trust and review gap: a caller may invoke a credential-accessing, network-capable skill without understanding that it can reach external systems and handle secrets. In the context of a key-rotation skill, undeclared access to env, shell, and network is more dangerous because the skill is explicitly designed to retrieve and expose live API credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior substantially exceeds the stated purpose: beyond returning the next key, it can enumerate account records, query live balances, accept arbitrary user-supplied keys, and access an external MySQL database with implied default credentials. This mismatch is dangerous because users may treat the skill as a narrow key rotator while it actually exposes broader credential inventory and external-account interrogation capabilities, increasing the risk of secret disclosure and unauthorized access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The advertised purpose is to return the next rotated Apify key, but --list exposes all active accounts and partial key material, enabling bulk enumeration of managed credentials. In this context, that materially increases the blast radius from single-key access to discovery of the entire credential inventory.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The --check-balance --key path allows a caller to submit any arbitrary Apify token and have the skill send it to Apify, turning the skill into a general-purpose token validation oracle. That exceeds the declared trust boundary of rotating managed database keys and may facilitate misuse of third-party credentials or accidental handling of secrets outside the managed store.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs users and other skills to retrieve and pipe raw API keys, and the JSON example returns the full key alongside account metadata. That practice increases the chance of accidental disclosure via logs, subprocess output capture, shell history, downstream tool output, or misuse by other skills, especially since the keys are sourced from a shared database-backed credential store.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code contains hardcoded default database host, username, password, and database name, and it accesses stored API keys from that database. Embedding live credential defaults in the script is a severe secret-management failure: anyone with code access can reuse them to access the backend and extract or alter all managed keys.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill silently installs packages and uses --break-system-packages, modifying the runtime environment without consent. In agent or shared-system deployments, this can destabilize the host, bypass administrative controls, and increase exposure to supply-chain compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal