ClawHub

Cloudways Mcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Cloudways admin guide, but it gives agents broad infrastructure credentials and includes under-scoped direct API and automation paths that deserve review before installation.

Install only for operators who should administer the connected Cloudways accounts. Use least-privilege or separate API keys where possible, keep credentials out of chat logs and reports, require explicit confirmation for every write or direct API action, and avoid unattended automation that can change production state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation explicitly tells the agent it can bypass the Cloudways MCP and use direct Cloudways REST API credentials with curl. That expands the skill from a constrained MCP-mediated interface to arbitrary direct API use, weakening the safety model, confirmation expectations, auditability, and tool-bound permission boundaries described in the skill metadata. In an operational admin skill that already includes sensitive write actions, this makes unsafe or unreviewed actions more likely.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The workflow is explicitly labeled read-only, but the diagnostic matrix recommends restarting services when RAM is high. A restart is a write/operationally disruptive action in Cloudways and conflicts with the skill metadata requiring explicit confirmation for any write operation, creating a real risk that an agent escalates from monitoring into state-changing actions without user approval.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The headless Claude example explicitly instructs output in Hebrew regardless of user preference. This is not a classic security flaw, but it can cause unsafe UX behavior by overriding user intent and producing operational reports in a language recipients may not understand, increasing the chance of missed alerts or mishandled actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases for the daily snapshot are very broad ('what's going on', 'general overview'), making it easy for an agent to invoke Cloudways account-wide monitoring during ordinary conversation without clear user intent. While this workflow is read-only, it can still cause unnecessary access to account/server/app data and overshare infrastructure details beyond what the user explicitly requested.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase 'the site is slow' is highly conversational and could match vague complaints without confirming the site is Cloudways-hosted or identifying the target application/server. In this skill context, that can trigger broad monitoring calls against the wrong tenant, server, or app, increasing the chance of unintended data access and mis-scoped investigation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The traffic anomaly workflow uses vague prompts like 'there's a jump in traffic' or 'sales dropped' without requiring Cloudways context or a specific app/account scope. That broadness can cause the agent to initiate analytics queries across infrastructure based on an ambiguous statement, exposing operational metrics not clearly requested by the user.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow explicitly instructs auditors to retrieve server details including master credentials and to inventory access-related data, but it does not include any guardrails for secret minimization, redaction, storage, or display. In an onboarding/audit context spanning multiple client accounts, this increases the chance of unnecessary credential exposure in notes, reports, screenshots, chat logs, or to operators who do not need direct secret access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The application-mapping stage instructs retrieval of app details and database credentials as part of routine audit collection, again without warning about secret handling. Database credentials are highly sensitive and can enable direct data access or modification; normalizing their collection during a read-only audit materially raises the risk of credential leakage and unauthorized downstream use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal