ClawHub

Civic Nexus

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Civic Nexus bridge, but it gives an agent broad access to many connected services without clear approval boundaries for sensitive actions.

Install only if you trust Civic Nexus and need a broad MCP bridge. Use the official Nexus URL, create a least-privilege token/profile, avoid connecting production or highly sensitive accounts unless necessary, and require manual approval before any write, delete, send, bulk, or SQL-execution action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to connect to Civic Nexus for Gmail, databases, Box, and other third-party services, but it does not clearly warn that user data, prompts, query contents, and retrieved records may be transmitted to external systems. In an agent setting, this can lead to unintended disclosure of sensitive emails, database contents, or tokens if users are not given an explicit privacy notice and consent checkpoint.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI exposes direct execution of arbitrary remote MCP tools with user-supplied arguments and provides no confirmation, risk classification, or warning before potentially destructive actions. In a system advertising 100+ integrations, this can lead to unintended state changes, data deletion, message sending, or external side effects if a user invokes a dangerous tool by mistake or via social engineering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal