ClawHub

Framer CRM API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Framer automation skill, but it gives a CMS-focused skill broad authority to change live site content, pages, redirects, and code without consistent confirmation guidance.

Install only if you intend to let the agent administer a Framer project beyond ordinary CMS edits. Before use, require explicit confirmation for deletes, bulk edits, page changes, redirects, code/custom-code changes, publishing, and deployment, and treat the Framer API key as a sensitive secret that should not be logged, committed, screenshotted, or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a Framer CMS management tool, but it also documents broader project-control capabilities such as code files, custom code, page management, redirects, screenshots, and node traversal. That scope expansion increases the chance the agent may perform actions outside the user's expected CMS-only intent, violating least privilege and enabling unintended modification of site structure or code.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including custom code creation, code overrides, head/body code access, and page/design manipulation in a CMS-focused skill materially expands impact from content management to arbitrary site behavior changes. If triggered in a normal CMS workflow, these capabilities could be abused to inject malicious code, alter routing, remove nodes, or otherwise compromise the site beyond the user's reasonable expectations.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file documents broad project-asset and site-management capabilities well beyond the stated CMS-focused purpose in the skill metadata, including pages, node traversal, screenshots, localization, redirects, styles, fonts, and code-related project assets. This scope expansion increases the chance the agent can be induced to perform unintended destructive or privacy-impacting actions on the broader Framer project, violating least privilege and making misuse more dangerous than a narrowly scoped CMS skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation exposes creation of custom code files and access to custom code injection slots, which are materially more dangerous than ordinary CMS content management because they can alter site behavior and potentially introduce arbitrary client-side script. In a skill advertised for CMS management, these features create a pathway from content automation into executable-code modification, increasing the risk of supply-chain-style defacement, tracking injection, credential phishing, or persistent malicious JavaScript on deployed sites.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The onboarding instructs the user to collect a Framer Server API key and persist it in a project-local `.env` file, but it does not provide an explicit warning that this credential grants sensitive access and must not be exposed in logs, screenshots, client-side code, or committed history. Although storing secrets in `.env` is a common practice, the absence of clear handling guidance increases the chance of accidental disclosure, especially because the same flow also asks the user to paste the key and run test code that uses it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal