ClawHub

Facture Make

Security checks across malware telemetry and agentic risk

Overview

The skill matches its invoice-to-Make.com purpose, but it sends business invoice data to a fixed webhook with weak payload scoping.

Review before installing. Use this only if you trust or control the hard-coded Make.com webhook, and confirm exactly what invoice fields will be sent. Avoid sending unrelated client, billing, or private business data through this skill unless the destination and retention policy are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tainted flow: 'payload' from sys.stdin.read (line 24, user input) → requests.post (network output)

Medium
Category
Data Flow
Content
# 3. Envoi à Make.com
        url = "https://hook.eu1.make.com/fto1pw8gfyk2kwqm8bab4ujykpfx1izi"
        response = requests.post(url, json=payload)
        
        if response.status_code == 200:
            print("OK")
Confidence
94% confidence
Finding
response = requests.post(url, json=payload)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition is broad and underspecified, so the agent may invoke the invoicing workflow on loosely related user messages. In a financial-action skill, ambiguous activation increases the risk of unintended invoice preparation or progression toward external transmission, especially because the skill ultimately sends data to Make.com after only a confirmation step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits invoice payloads to an external Make.com webhook but gives no user-facing disclosure, consent prompt, or indication of what data is being sent and to whom. In a skill context, hidden transmission of billing information materially increases privacy and compliance risk because users may reasonably assume local processing only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal