ClawHub

OpenMarlin

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its OpenMarlin purpose, but it handles billing authority and exposes newly issued API keys in command output, so users should review it before installing.

Install only if you trust the OpenMarlin API origin and are comfortable granting this skill access to OpenMarlin account, execution, task, billing, top-up, and referral information. Run registration/bootstrap in a private context, avoid sharing terminal or agent logs because the API key may be printed, and use --store only when you intentionally want the credential saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs use of network access, shell execution, environment variables, and local file-backed state/auth storage, yet it declares no permissions. That mismatch undermines platform trust boundaries because users and reviewers are not told that the skill can contact external services and persist credentials or billing/task state locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The description says the skill handles OpenMarlin usage, setup, and billing, but the file also describes additional sensitive behaviors such as storing API keys locally, persisting billing/task state on disk, listing models, referral retrieval, and idempotency tracking. Incomplete disclosure is dangerous because it can cause users to invoke the skill without understanding that secrets and activity metadata may be retained or that broader account-related actions are possible.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a `referral-link` command and corresponding API access that goes beyond the stated billing/top-up/402-recovery purpose. Pulling referral code, invite link, and attribution data expands the skill's access to account-marketing information without clear necessity, which violates least-privilege and can disclose unnecessary user/account metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
These lines call the referral endpoint and process referral/invite attribution data, which is unrelated to core billing recovery flows. Even if not directly harmful like code execution, this creates unnecessary access to ancillary account data and increases privacy and over-collection risk if the skill is used in environments expecting only billing operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code prints the newly issued API key secret to stdout and also includes it in JSON output. Secrets written to terminal output, logs, CI transcripts, shell history captures, or agent traces can be recovered by unintended parties and used to impersonate the workspace identity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script can persist an issued API key to auth-profiles.json without an explicit warning that sensitive credentials are being written to disk. In agent tooling, local credential files may have broad filesystem exposure, be backed up, synced, or read by other processes, increasing the blast radius if permissions are weak.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal