ClawHub

Acumatica Customization Management

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for Acumatica administration, but it gives an agent powerful ERP-changing commands with weak safeguards against accidental use.

Install only if you want an agent to help administer Acumatica customization projects. Use HTTPS, a least-privileged Acumatica account, chmod 600 on acumatica.conf, and require explicit human approval before import, publish, unpublish, delete, or maintenance-mode commands, especially against production or all tenants.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell/script execution capability via a bash helper and external tools like curl, jq, base64, and python3, but the metadata does not declare permissions or execution constraints. This creates a trust and governance gap: an agent may invoke a capability that can perform authenticated administrative actions against an Acumatica instance without the user or policy layer having explicit visibility into that power.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance is overly broad, instructing invocation on generic terms such as 'publish', 'unpublish', or any mention of 'Acumatica'. In this skill's context, accidental invocation is particularly risky because the available operations are administrative and destructive, including publish, unpublish-all, delete, and maintenance-mode changes against a live ERP system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The unpublish command performs a destructive action across the selected tenant scope, including potentially all tenants, with no interactive confirmation, dry-run, or explicit force flag. In an agent/tooling context, this increases the chance of accidental or prompt-induced destructive changes to production ERP customizations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete command permanently removes an unpublished customization project without any confirmation or secondary safety check. In an automation skill, a mistaken invocation or adversarial prompt could cause irreversible loss of project state and disrupt customization workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
'{name: $name, password: $password}')

    local response_body http_code
    response_body=$(curl -s -w "\n%{http_code}" \
        -c "$_COOKIE_FILE" \
        -X POST \
        -H "Content-Type: application/json" \
Confidence
91% confidence
Finding
curl -s -w "\n%{http_code}" \ -c "$_COOKIE_FILE" \ -X POST \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Exporting project '$project_name'..."

    local response
    response=$(curl -s \
        -b "$_COOKIE_FILE" \
        -X POST \
        -H "Content-Type: application/json" \
Confidence
89% confidence
Finding
curl -s \ -b "$_COOKIE_FILE" \ -X POST \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal