ClawHub

Shortcut

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Shortcut integration, but it needs Review because it can modify or delete live workspace data and automatically sources a generated shell configuration file.

Install only if you are comfortable letting the agent act on your Shortcut workspace with the provided token. Use the least-privileged token available, require explicit confirmation before update or delete requests, and avoid adding the generated workflow-states file to ~/.bashrc unless you have inspected it and trust the workspace state names.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell-based execution capabilities but does not declare any permissions or trust boundaries, which prevents users and orchestrators from understanding that local commands and filesystem access are involved. In this context, the shell capability can read local token files, invoke networked scripts, and modify local configuration, so the missing permission declaration materially increases the risk of unintended privileged actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior understates the destructive and sensitive capabilities of the skill: it can delete tasks and comments, display full story details, and initialize workflow configuration by writing local files. This mismatch is dangerous because users may invoke the skill expecting limited project-management actions while the implementation enables data deletion, broader data exposure, and local persistence that should require clearer disclosure and stronger consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script implements destructive functionality by deleting story comments, but the declared skill description only mentions creating comments and managing stories/checklists, not deleting comments. Hidden or undocumented destructive actions increase the chance of misuse, surprise behavior, and unsafe invocation by an agent or user who does not expect comment deletion to be available.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to store a live API token in a predictable local file path, but does not emphasize that this is a sensitive credential or discuss safer handling practices. If the file is exposed through backups, misconfigured home-directory permissions, local compromise, or accidental disclosure, an attacker could use the token to access and modify Shortcut workspace data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal