ClawHub

Scalekit Agent Auth

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Scalekit connector, but it exposes broad connected-service authority and includes a command that can print raw OAuth tokens.

Install only if you intend this agent to operate across the Scalekit services you connect. Use least-privilege Scalekit credentials, connect only necessary providers, avoid logging command output, do not use --get-authorization in agent workflows, and require explicit approval before proxy requests, file transfers, sends, deletes, or other mutating actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly requires environment secrets and performs networked operations, yet no explicit permission model is declared to constrain or signal those capabilities. In an agent setting, undeclared env and network access increases the chance of over-privileged execution and makes it harder for reviewers or policy systems to enforce least privilege.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior extends beyond ordinary third-party tool execution into management-plane discovery and token/authorization inspection, including mention of retrieving OAuth access and refresh tokens. That mismatch is dangerous because users and reviewers may authorize a broad operational skill without realizing it can inspect sensitive connection metadata or expose credentials.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The CLI exposes raw OAuth access and refresh tokens to stdout, which goes beyond the stated purpose of tool discovery and execution. Tokens printed to terminal output can be captured by shell history, logs, CI output, session recording, or other local observers, enabling direct account takeover or API access outside the intended proxy controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code can enumerate all configured environment connections, which broadens capability beyond executing a specific user-requested tool. This increases exposure of integration inventory and metadata, helping an attacker map available providers and target higher-value connected services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes executing tools through integrations, but the implementation also supports arbitrary proxied HTTP requests plus local file read/write. That materially expands the skill from constrained tool execution into a generic network proxy and file-handling primitive, which can be abused to access unsupported API endpoints, move data off-platform, or overwrite local files if exposed to untrusted inputs.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README instructs the skill to trigger on essentially any request involving an external service, even when the provider is not explicitly named. That broad invocation scope can cause over-triggering on routine user requests, leading the agent to access tools, connected accounts, or external data sources when the user did not clearly intend such actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README emphasizes automatic authorization, tool execution, and direct proxied API fallback across third-party services, but does not warn about privacy, data access scope, or the sensitivity of connected-account operations. In this context, users or integrators may underestimate that the skill can read or modify external data, increasing the risk of unintended disclosure or actions through connected SaaS platforms.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger language is extremely broad, effectively instructing the agent to invoke this skill for almost any request involving external data or services, even when the provider is not named. In practice this expands the blast radius of a powerful skill that can read, write, send messages, query databases, and proxy API requests, increasing the risk of unintended invocation and unsafe actions across many integrations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes upload, download, and local file write flows, including direct retrieval to local paths, without strong user-consent and safety guidance around modifying remote content or writing files locally. In an autonomous or semi-autonomous agent environment, that can lead to accidental data exfiltration, overwrites, or unauthorized modification of user data.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing OAuth access and refresh tokens directly to stdout is sensitive secret disclosure. In agent and CLI environments, stdout is frequently logged, persisted, or exposed to operators and monitoring systems, so this can leak reusable credentials well beyond the immediate caller.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal