ClawHub

Bazhuayu Webhook

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real RPA webhook tool, but it handles powerful webhook credentials in ways that could accidentally expose them.

Install only if you intend this skill to trigger the configured RPA webhook. Treat the webhook URL and signing key like credentials: do not commit .env.example, .env.migrated, config.json, logs, screenshots, or shell profiles containing real values. Prefer a secrets manager or tightly permissioned private env file, use test/dry-run before real runs, and only add the cron example if unattended repeated execution is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The initialization flow claims config.json will not store sensitive information, but it allows arbitrary default parameter values to be written directly to disk. Because parameter names and values are user-defined, secrets can easily be persisted in plaintext under a misleading 'secure' UX, increasing the chance of credential disclosure through local file access or accidental backup/versioning.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script tells users the signing key will be kept out of config files, but then writes the real secret into `.env.example`, a local file under the project directory. Even with mode 600, this creates a plaintext secret-at-rest artifact that can be copied, backed up, committed, or exposed later, undermining the script's stated security model.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The closing guidance claims the signing key is stored in environment variables and not written to configuration files, but the workflow already persisted the actual key into `.env.example`. This misleading assurance increases the chance users will mishandle the repository or share the generated file, believing no local secret file exists.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual explicitly instructs users to place the Webhook signing key in plaintext within config.json and to inspect configuration via CLI output, but it does not warn that this key is a secret credential. If the file is committed, shared, or displayed in logs or terminals, an attacker with access to the key can forge signed webhook requests and trigger remote RPA jobs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples show how to trigger remote RPA workflows and invoke shell/subprocess operations directly from user-driven automation without warning that these actions can cause real external side effects. In an agent setting, this increases the chance of unintended task execution against third-party systems or sensitive internal workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to persist a webhook signing key in plaintext in shell startup files such as ~/.bashrc or ~/.zshrc. While common, this increases the chance of secret exposure through backups, dotfile syncing, local disclosure, shell history mishandling, or accidental sharing, and the document does not adequately warn about these tradeoffs or suggest safer secret-storage mechanisms.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The release notes explicitly mention obtaining a Webhook URL and signature key, which are sensitive credentials used to trigger RPA tasks, but provide no caution about secure storage, redaction, or avoiding exposure in logs/screenshots. In the context of an automation-triggering skill, disclosure of these values could enable unauthorized task execution or abuse of downstream bots and applications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to place the webhook signing key directly into shell startup files and to export it in plaintext in terminal sessions, but it does not warn that this may expose the secret via shell history, backup/sync tools, shared accounts, local malware, or overly permissive dotfile handling. Even though environment variables are better than hardcoding in the repo, this guidance still encourages broad local exposure of a credential used to authenticate webhook requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples explicitly show transmitting sensitive personal data and credentials, including a password and shipping address, to an external webhook endpoint without any warning about privacy, secret handling, masking, retention, or least-privilege use. In a webhook-triggering skill, this normalizes unsafe use and can lead users to send real secrets or PII to third-party automation services unintentionally.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The scheduled execution example instructs users to automate recurring webhook calls via cron but does not warn that configured parameters will be repeatedly transmitted to an external service. This increases the chance of continuous unintended data disclosure or repeated triggering of sensitive workflows if default parameters contain private or operationally sensitive data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The init command prints the secret key and environment-backed parameter values directly as export commands, exposing them in terminal scrollback, shell logging, screen sharing, and operator copy/paste history. This undermines the stated security posture because secrets are disclosed in cleartext during setup even if they are not written to config.json.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal