ClawHub

Send Message

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a direct-message helper, but it can read private conversations and automatically mark all OpenAnt notifications as read, not just message alerts.

Review before installing. Use this only if you are comfortable letting the agent access OpenAnt private conversations and send messages when instructed. The main issue is notification handling: the skill documents marking all notifications as read automatically, which could hide unrelated alerts unless the user explicitly controls that action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent to run `openant notifications read-all --json`, which affects all notifications rather than only message-related ones. This exceeds the DM-only scope and can silently alter unrelated user state, causing loss of visibility for other important notifications and creating an integrity/usability issue.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The autonomy guidance says marking notifications as read is safe to execute immediately, but the documented command marks all notifications as read, including non-message items. This invites an agent to take an irreversible cross-scope action without user approval, increasing the chance of unintended state changes and missed alerts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad everyday expressions such as 'what did they say?' and 'check inbox', which can cause this skill to be invoked in contexts where the user did not intend to access private messages. Because the skill can read conversations and send DMs, accidental invocation can expose sensitive content or initiate unintended communications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explains how to read conversations and notifications but does not warn that these actions expose private message bodies, participant identities, and notification metadata. In a messaging context, omission of privacy warnings makes accidental disclosure more likely and reduces the chance that the agent will seek confirmation before accessing sensitive content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal