ClawHub

Nexlink

Security checks across malware telemetry and agentic risk

Overview

NexLink is a coherent enterprise connector, but its email, calendar, task, contact, and file-management powers are broader and less consistently guarded than its safety claims.

Review before installing. Use only dedicated low-privilege Exchange and Nextcloud accounts, avoid broad delegate or impersonation rights, do not disable TLS verification except as a temporary controlled exception, and assume commands can make live business changes or expose data publicly. Require local allowlists and explicit human confirmation around mailbox switching, sending mail, creating public links, downloading attachments, and cross-user task actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares broad operational capabilities through required environment variables and documented commands that imply shell, file read/write, and network access, but it does not expose an explicit permissions model to help users or the platform understand and constrain those powers. This is dangerous because the skill handles highly sensitive enterprise systems (Exchange, Nextcloud, YouTube) and can read, modify, send, upload, download, and delete data using stored credentials, increasing the risk of over-privileged execution and unintended actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The function get_account_for allows the caller to connect to any SMTP address using the configured service credentials, with no local authorization check, scope restriction, or validation that the requested mailbox is approved. In an enterprise connector skill, this creates a real privilege-boundary risk because any upstream tool invocation or prompt-driven parameter can turn broad Exchange delegate/impersonation rights into arbitrary mailbox access and data exposure.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The docstring asserts delegate-only behavior, but the actual implementation reuses the shared connection configuration and does not verify that the effective privileges or configured mode are limited to delegate semantics. This mismatch is dangerous because callers and reviewers may rely on a narrower trust model than the code actually enforces, leading to unauthorized mailbox access when service credentials have broader rights.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a real issue. The module claims built-in security confirmations, but contact creation performs a state-changing write with no confirmation, while update/delete invoke an undefined confirm_or_die function that will likely cause a runtime failure instead of an intentional authorization/confirmation gate. In an agent context, this mismatch is dangerous because users and orchestrators may assume destructive or modifying actions are protected when they are not or are broken.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module supports acting on another user's mailbox via the --mailbox and --assign-to flows, which expands authority beyond a typical single-user task manager. In a skill marketed with 'least-privilege defaults', cross-mailbox task access and modification materially increase the blast radius if the agent is misused, prompted incorrectly, or granted overly broad delegate rights.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file is presented as a Nextcloud file-management client but includes cross-system Exchange task creation helpers. That scope expansion is dangerous because a caller expecting only file operations may unknowingly trigger actions in a separate enterprise system, increasing the chance of unintended side effects and privilege misuse.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The top-level docstring claims the module is only for Nextcloud WebDAV file management, but later code performs Exchange task creation. Misleading scope documentation is security-relevant because operators, reviewers, and higher-level agents may trust the declared capability boundary and approve or invoke the skill under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The task note explicitly states the skill description currently claims a 'persistent memory integration' feature even though no corresponding code exists. This is a security-relevant integrity issue because overstated capabilities can mislead operators about data handling, retention, and trust boundaries, causing unsafe deployment or incorrect assumptions during review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises numerous destructive or externally impactful operations such as deleting files, deleting contacts, marking mail as read, sending reminders, creating tasks, and creating public share links, but it does not consistently warn users about side effects, permission scope, or irreversible outcomes. In an agent-skill context, this increases the risk that an LLM or user invokes high-impact commands without understanding they modify enterprise data or expose it externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation presents mutating commands such as sending email, creating calendar events and tasks, uploading/downloading files, sharing, deleting contacts, and creating tasks from extracted content without prominent warnings about side effects or the potential business impact. In an enterprise connector context, these actions can alter mailboxes, calendars, contact stores, and cloud files, so unclear safety guidance raises the chance of accidental destructive or privacy-impacting operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to provide Exchange credentials via environment variables/config and explicitly shows `verify_ssl: false` for self-signed certificates without a strong warning about man-in-the-middle risk. In an enterprise email/calendar connector, encouraging disabled TLS verification can expose credentials and mailbox contents to interception, and the skill handles highly sensitive communications data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises capabilities to read/send email, manage calendar events, create tasks, and send reminders, all of which can transmit or alter sensitive user and organizational data, but it does not clearly warn users about these privacy and integrity effects. In this context, absent disclosure and confirmation guidance increases the risk of unintended outbound communication, unauthorized modifications, or overbroad use of mailbox privileges.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The CLI commands can enumerate mailbox metadata, sender identities, unread counts, and activity patterns and return them directly without any user-facing consent, warning, or contextual confirmation at the point of access. In an enterprise connector context, this increases the risk of privacy leakage and unauthorized oversharing of sensitive communication metadata if the tool is invoked by an agent or operator without clear access mediation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The update command modifies remote Exchange calendar data without calling the same confirmation guard used by create, delete, and respond. In an agent skill context, this increases the risk of unintended or prompt-induced calendar tampering, because a single mistaken invocation can silently alter meeting times, locations, or content and potentially disrupt business workflows.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
get_account_for accesses another mailbox using stored credentials without any user-facing confirmation, warning, or approval step, which is risky in an agentic context where parameters may be supplied indirectly. In this skill's context, the danger is elevated because the connector is designed to bridge enterprise email and calendar data, so silent cross-mailbox access can expose sensitive communications, contacts, and tasks without clear operator awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Contact creation accepts user-controlled fields and immediately persists them to Exchange without any user-facing warning or confirmation. In a connector skill that can act on behalf of a user or organization, this enables unintended modification of enterprise contact data through prompt confusion, agent misuse, or accidental invocation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The logger records request data, email/task/calendar identifiers, server names, and email addresses to console and rotating log files without any built-in redaction or sensitivity filtering. In an enterprise connector handling Exchange, files, calendars, and transcripts, these logs can capture PII, message content, metadata, or tokens if callers pass sensitive payloads, creating a confidentiality risk if logs are accessed, forwarded, or retained improperly.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
Creating a draft performs a state-changing write to the user's Exchange mailbox and may also read arbitrary local files for attachments, yet unlike send/reply/forward it lacks an explicit confirmation gate. In an agent context, this increases the risk of unintended mailbox modification and accidental inclusion of sensitive local files when a model or workflow acts on ambiguous instructions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The attachment download command writes attacker-controlled email attachment content to an arbitrary user-specified path without confirmation or path safety checks. In an agent setting, this can enable unintended file overwrite, placement of dangerous content in sensitive locations, or persistence of untrusted files on disk, especially if the model is tricked into using a privileged path.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reminders command sends an email containing task subjects and due-date details without a confirmation gate, unlike other potentially sensitive actions in this module that use confirm_or_die. Because the recipient can be set explicitly with --to, an operator error, malicious caller, or unsafe agent workflow could exfiltrate potentially sensitive task metadata to an unintended address.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
cmd_assign creates tasks directly in another user's mailbox without any confirmation prompt, unlike create/complete/trash which call confirm_or_die(). In an agent setting, this makes silent cross-user actions easier to trigger through prompt mistakes, ambiguous user intent, or malicious instruction chaining, especially when delegate permissions already exist.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase "nextcloud file operations" is overly broad and can match many ordinary user requests involving cloud files, increasing the chance this skill is invoked when the user did not specifically intend Nextcloud actions. Because the skill supports destructive and sharing operations, accidental routing can lead to unintended file access, modification, deletion, or public exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes destructive and privacy-sensitive capabilities including delete, upload/download, and public share creation without clearly stating confirmation, approval, or risk boundaries at the point of use. In a skill that can manipulate enterprise files and generate public links, missing warnings and approval gates materially increase the risk of accidental data loss or unauthorized disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Creating a public share link exposes internal files outside Nextcloud, yet the CLI path performs no confirmation or warning before doing so. In an agent context, that makes accidental data disclosure more likely because a single command can immediately generate an externally accessible URL.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The guide instructs users to configure live Exchange credentials and even suggests disabling SSL verification for self-signed certificates, but it does not include clear warnings about secret handling, least-privilege service accounts, or the interception risks of weakened TLS validation. In an enterprise connector context, these credentials grant access to sensitive mail/calendar data, so poor operator guidance can materially increase the chance of credential exposure or insecure deployment.

VirusTotal

2/65 vendors flagged this skill as malicious, and 63/65 flagged it as clean.

View on VirusTotal