ClawHub

Datadog MCP

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Datadog observability integration, but users should scope Datadog credentials carefully because it can expose production data and optionally trigger workflows.

Install only for trusted agents and environments. Use a dedicated least-privilege Datadog application key, enable only the toolsets you need, avoid workflow execution unless you want the agent to trigger automations, and treat returned logs, traces, host details, and incident data as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The security notes are materially misleading: they state API keys grant only read access, while the documented toolsets include potentially write-capable operations such as workflow execution and incident actions. This can cause operators to provision broader credentials than intended and use the skill in production under a false assumption of read-only behavior, increasing the risk of unauthorized state changes or operational disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises broad access to logs, traces, metrics, incidents, dashboards, infrastructure data, synthetic tests, and workflow execution, but it does not clearly warn that these capabilities may expose sensitive production data or trigger state-changing actions. In an agent skill context, this omission increases the chance that users enable the skill without understanding that the agent may retrieve confidential observability data or invoke operational automations with real impact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructs users to place long-lived Datadog API credentials in shell environment variables and pass them as command-line header arguments, which can expose secrets through shell history, process listings, logs, debugging output, or misconfigured telemetry. In a production-observability context, these credentials can provide broad access to sensitive operational data and possibly more if over-privileged keys are used.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The note says the server 'handles intent parsing' and 'selects the appropriate tool based on your prompt,' which encourages invocation from ordinary natural-language requests without explicit user confirmation. In a security-sensitive observability skill, this broad trigger model can cause unintended access to logs, traces, incidents, or host data from ambiguous prompts, increasing the chance of unnecessary data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API reference documents broad access to logs, traces, hosts, monitors, and incidents but does not warn that these sources may contain sensitive operational details, secrets, internal topology, or user data. Because this skill is explicitly intended for production investigation and uses privileged Datadog credentials, the omission makes accidental over-collection and unsafe disclosure more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal