ClawHub

Cloudflare R2 S3 存储工具

Security checks across malware telemetry and agentic risk

Overview

This is a real Cloudflare R2 storage helper, but it needs review because it can make uploads public by default and delete bucket objects without a safety prompt.

Review before installing. Use a dedicated least-privilege R2 token for only the intended bucket, avoid uploading sensitive files unless you explicitly use private mode, keep secrets out of version control, and only allow the delete command after clear human confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents use of sensitive environment variables for Cloudflare R2 credentials, but the metadata does not declare corresponding permissions. This creates a transparency and governance gap: users and hosting platforms may not realize the skill accesses secrets, making credential exposure or overbroad trust more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose emphasizes uploading files and obtaining public URLs, but the documented behavior also includes listing and deleting bucket contents and testing connectivity. This mismatch can mislead users about the skill's real capabilities, increasing the chance of unintended destructive actions or broader data access than expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes generating public access URLs and enabling bucket public access, but it does not prominently warn that uploaded files may become internet-accessible. In a storage skill, this context makes the omission materially risky because users may upload sensitive content assuming standard private object-storage semantics.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The delete command removes remote objects immediately with no confirmation prompt, dry-run mode, or safety interlock. In an agent or automation context, this increases the chance of accidental destructive actions, leading to data loss in the configured bucket.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal