ClawHub

Tmp.HH1ibdDLKj

Security checks across malware telemetry and agentic risk

Overview

The Evite skill appears aligned with managing invitations, but it needs review because it may use logged-in Evite sessions and can be triggered by broad event-management requests.

Install only if you intend to let the agent access your Evite account. Avoid storing raw session cookies in plaintext, prefer a least-privileged or temporary account when possible, and require confirmation before sending invitations, changing RSVPs, editing guest lists, or messaging guests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is broad enough to activate on generic event-management requests, not just clearly scoped Evite actions. That can route unrelated user intents into a skill with authenticated read/write access to invitations, guest lists, and messaging, increasing the chance of unintended access or actions on a user's Evite account.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: evite-mcp
description: This skill should be used when the user asks about Evite events or invitations. Triggers on phrases like "check Evite", "my Evite events", "who RSVP'd", "Evite guest list", "RSVP to the party", "message my Evite guests", "create an Evite invite", or any request involving event invitations, guest lists, RSVPs, or party/event hosting on evite.com.
---

# evite-mcp
Confidence
88% confidence
Finding
create an Evite invite", or any request involving event invitations, guest lists, RSVPs, or party/event hosting on evite.com. --- # evite-mcp MCP server for [Evite](https://www.evite.com) — read and

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal