ClawHub

Review Responder

Security checks across malware telemetry and agentic risk

Overview

The skill matches its review-response purpose, but it stores powerful Google credentials locally and can post public replies without a technical approval check.

Review before installing. Use this only if you are comfortable giving the skill ongoing Google Business Profile access for each client. Store client files outside source control with restrictive permissions or an encrypted secrets store, use HTTPS for OAuth onboarding, verify that your agent never calls the reply command without a fresh operator approval, and have a token revocation/rotation plan if any client JSON file is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code exposes a direct posting path that will publish any supplied reply text to Google Business Profile without enforcing the manifest-promised approval gate. In this skill context, that mismatch is especially dangerous because operators and downstream agents may rely on the stated 'never auto-posted' guarantee, creating a trust boundary that the implementation does not actually uphold.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to post an approved reply, but there is no approval validation at all; any caller that can invoke the command can publish arbitrary text. This is a real security and integrity issue, not just a documentation bug, because it weakens the intended human-approval control for public business communications.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The callback persists a Google OAuth refresh token and the OAuth client secret to a local JSON file, creating a long-lived credential store that can be reused to access the client's Google Business Profile outside the immediate review-response action. In this skill context, that is especially sensitive because the scope grants business management access and the server is explicitly intended for onboarding real client accounts, so compromise of the host or files could enable unauthorized access or posting activity.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The changelog records the medical profile as "HIPAA-safe," which overstates the compliance posture and can mislead operators into believing the skill or workflow provides regulatory assurance it does not actually provide. In this skill’s context—handling public review replies for medical clients and storing client OAuth credentials—such wording can cause unsafe reliance, weak review of PHI exposure risk, or adoption in regulated settings under false assumptions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup guide explicitly instructs operators to place the OAuth client secret and a long-lived refresh token into per-client JSON config files, but provides no warning about secure storage, file permissions, encryption, or source-control exclusion. Those secrets grant ongoing access to Google Business Profile data and reply capabilities, so compromise of the workspace or accidental commit could expose multiple client accounts.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script stores reviewer names, comments, ratings, and timestamps in plaintext JSON files on local disk. Review content can contain personal or sensitive information, so unprotected local persistence increases exposure through accidental disclosure, weak filesystem permissions, backups, or multi-tenant environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The OAuth callback writes sensitive refresh tokens and even the OAuth client secret to disk in plaintext without any encryption, secure secret handling, or user-facing disclosure. In the context of a business review automation workflow, these credentials can provide durable access to customer Google Business Profile resources, so theft of the file or accidental exposure could lead to account takeover or unauthorized business actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal