ClawHub

Sure API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Sure API helper, but it gives an agent broad write and delete access to financial and account data without enough safeguards on the raw API path.

Install only if you trust this skill and agent with your Sure financial account. Prefer the wrapped CLI commands, require explicit approval before any write or delete, and avoid using the raw request helper for destructive paths such as user reset or account deletion unless you fully understand the impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The generated endpoint summary exposes authentication and account-lifecycle endpoints that are not reflected in the skill description, creating a capability mismatch. In an agent skill, undocumented auth flows and identity-affecting operations can mislead users or downstream systems about what the skill can do, increasing the chance of unsafe invocation or privilege misuse.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The summary lists destructive user endpoints such as deleting the current user and resetting users without corresponding disclosure in the manifest. Hidden or poorly advertised destructive capabilities are especially dangerous in agent contexts because they can enable irreversible account deletion or reset actions beyond the user's expected scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The OpenAPI spec exposes authentication flows such as signup, login, token refresh, SSO exchange, and account-affecting user operations that go beyond the skill's stated scope of using the Sure REST API with X-Api-Key auth for finance data access. This mismatch is dangerous because an agent or user may assume the skill only performs scoped data operations, while the spec also enables credential handling and broader account lifecycle actions, increasing the chance of over-privileged or unintended use.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The spec includes destructive endpoints for resetting all family financial data and deleting the current user account, yet these capabilities are not reflected in the manifest description. Hidden destructive actions are especially risky in an agent skill because normal usage expectations are data retrieval and CRUD on financial records, not irreversible account-wide destruction, so misuse or prompt confusion could cause severe data loss.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The valuations endpoints are documented under apiKeyAuth security, but also define required Authorization bearer headers in the operation parameters. This inconsistent authentication model is dangerous because it can mislead an agent into requesting or handling additional bearer credentials not expected by the skill, creating confusion, auth bypass assumptions, or accidental credential exposure paths.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports create, update, and delete operations against a live financial API, but the top-level usage guidance does not present a strong user-facing warning that these actions can modify production data. Although a 'safe write pattern' is mentioned later, the skill still normalizes destructive operations without a prominent risk notice at entry points.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The raw examples include live POST requests for imports, trades, valuations, chats, and messages, which can immediately transmit and persist user data to an external service. Because these are copy-pastable examples without an adjacent warning, they materially increase the chance of accidental writes to production systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown enumerates multiple DELETE endpoints but provides no warning that these actions may permanently remove data or accounts. In a skill reference used by agents or operators, omission of deletion warnings increases the risk of accidental destructive actions and weakens informed consent around irreversible operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When invoked with --with-live-api, the script executes the smoke test script, which may send real network requests to the external sure API without any explicit warning, confirmation, or disclosure at the point of execution. In a skill context that may be run by automation or unsuspecting users, this can cause unintended outbound traffic and possible transmission of API keys or test data to a third-party service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal