ClawHub

Epragma Redmine Issue

Security checks across malware telemetry and agentic risk

Overview

This Redmine skill is not clearly malicious, but it is presented mainly as a reader while it can make live changes to Redmine issues and time entries using an API key.

Install only if you intend to grant this skill read/write access to Redmine. Use a least-privilege API key, verify REDMINE_URL and REDMINE_API_KEY carefully, and treat write commands as live production changes rather than read-only inspection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires environment variables for a Redmine URL and API key and performs network operations, but the manifest does not declare corresponding permissions. This creates a transparency and governance problem: users or platforms may assume the skill is lower risk than it is, while it can access credentials and communicate with arbitrary Redmine servers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose says the skill reads Redmine issues, but the documented behavior includes write operations such as updating issues, adding comments, creating issues, and recording time entries. This mismatch is dangerous because users and automated agents may invoke the skill expecting read-only behavior while it is actually capable of modifying remote project data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest branding and summary frame the skill as read-only, yet the documented commands include create, update, comment, and time-entry actions. In a tool-routing context, this can mislead operators or orchestration logic into granting or invoking a mutating skill where only passive inspection was intended.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level documentation repeats the claim that the skill reads issues, but later sections document several mutating operations. This inconsistency increases the chance of accidental misuse, especially when a user or agent relies on the introductory documentation rather than reading the full command list.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata presents this as a read-only Redmine issue reader, but the CLI exposes multiple state-changing operations including update, create, comment, and time entry management. This mismatch is dangerous because users, orchestrators, or policy engines may grant or invoke the skill under the assumption that it only reads data, leading to unintended persistent changes in a remote Redmine instance.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements write-capable Redmine operations including issue updates, comment addition, issue creation, time entry creation/updates, and time entry deletion, while the skill metadata describes a read-only issue reader. That mismatch is dangerous because a caller or downstream agent may trust the skill as read-only and unknowingly trigger state-changing actions against a live Redmine instance, causing unauthorized modification or destruction of project data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes commands that update issues, create issues, add comments, and add time entries without warning that these actions change remote project state. Lack of such warnings increases the risk of accidental data modification, operational disruption, or unauthorized changes when the skill is used by humans or autonomous agents.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs users to configure a Redmine API key but does not mention that the credential is sensitive, should be protected, and may grant broad access to project data and write operations. Poor guidance around secret handling increases the likelihood of credential leakage through shell history, logs, screenshots, or insecure sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The update command performs a persistent remote modification with no explicit warning, dry-run, or confirmation in this file. In an agent setting, this increases the risk of accidental issue edits from ambiguous prompts or incorrect tool selection, especially because the overall skill is described as read-oriented.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The comment command sends user-provided notes directly to the remote tracker without any disclosure or confirmation. This can cause accidental data leakage, reputational harm, or unwanted workflow noise if sensitive or draft content is posted to production issues by an agent or inattentive user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The create command opens new issues in the remote system without an explicit warning that this is a persistent write. In agent workflows, this can lead to unauthorized ticket creation, spam, or process disruption when the tool is invoked based on mistaken assumptions that it is only reading existing issues.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The time-add command writes time entries to Redmine without explicit prior disclosure or confirmation. Because time tracking data affects billing, reporting, and audit trails, accidental writes can have operational and financial consequences beyond simple data modification.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal