ClawHub

Honeybook

Security checks across malware telemetry and agentic risk

Overview

This HoneyBook helper is purpose-aligned, but it handles sensitive portal sessions, payment-related data, and signing/payment links without enough scoping or session-safety guidance.

Install only if you intentionally want an agent to access HoneyBook portal sessions. Treat HoneyBook magic links as login secrets, confirm the task is HoneyBook-specific before using the skill, and delete or revoke cached sessions when you no longer need access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger criteria are broad and open-ended, covering generic requests about contracts, invoices, proposals, and payments. In a skill that can capture portal sessions and return signing/payment links, over-triggering increases the chance the agent invokes this capability in the wrong context and exposes or acts on sensitive HoneyBook data without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to paste emailed magic-link URLs so the system can capture an authenticated session, but it does not prominently warn that these links are effectively bearer credentials and that resulting sessions are cached locally. In this context, the skill handles contracts, invoices, payment methods, and signing/payment flows, so unclear disclosure around session capture and storage materially raises the risk of privacy loss, account misuse, and unauthorized access on shared or compromised machines.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal