ClawHub

Codehooks Backend

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about its purpose, but it gives an agent broad non-interactive control over a live backend and should be reviewed carefully before use.

Install only if you are comfortable letting the agent manage a Codehooks backend. Prefer a dedicated non-production project, use the narrowest or shortest-lived token available, require manual review before deployments and data import/export, validate callback/webhook destinations, monitor logs and scheduled jobs, and rotate the admin token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly enables sensitive capabilities including outbound network use and access to an admin token via environment variables, yet it does not declare explicit permissions. That mismatch weakens policy enforcement and informed consent: an agent may be granted a powerful deployment surface without the host system clearly surfacing that the skill can read secrets and deploy code to a live backend.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs the human to give an admin token to the agent and shows non-interactive deployment using that token, but it does not clearly warn that this credential grants broad control over the backend environment. If an agent is compromised, misprompted, or connected to untrusted tools/plugins, the token could be exfiltrated or misused to deploy code, access data, or alter backend resources.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow completion handler performs a POST request to `data.state.callbackUrl`, which originates from `req.body.callbackUrl` supplied by the caller, with no validation, allowlist, or restriction on destination. This creates an SSRF-style outbound request primitive and can also exfiltrate workflow result data to arbitrary endpoints, which is especially risky in a backend automation skill that is explicitly designed to contact external systems autonomously.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal