ClawHub

coros-mcp

Security checks across malware telemetry and agentic risk

Overview

This COROS login helper is mostly coherent and disclosed, but it also gives agents a broad authenticated MCP tool-calling surface that is not tightly scoped.

Install only if you trust this publisher and want an agent to manage COROS MCP login plus potentially invoke COROS MCP tools under your account. Review what COROS tools are available before use, avoid legacy password login unless necessary, and use logout to clear cached local tokens when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill directs execution of Python scripts and OpenClaw commands that read and write local state, access environment data, invoke shell commands, and communicate with remote COROS endpoints, yet it declares no permissions. This creates a transparency and policy-enforcement gap: an operator or platform may treat the skill as low-risk while it performs sensitive actions including authentication, token caching, network access, and config modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose is limited to installing or refreshing a COROS MCP connection, but the skill also supports tool enumeration, schema inspection, arbitrary MCP tool invocation with user-supplied JSON, and a legacy username/password flow. That mismatch is dangerous because reviewers and users may authorize the skill expecting a narrow login/setup function, while in practice it can perform broader authenticated actions against the remote service and handle more sensitive credential flows.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is described as a login/gateway helper, but it also implements MCP session initialization, tool enumeration, tool description, and tool invocation. That materially expands capability beyond authentication/setup, increasing the attack surface and enabling the skill to act as a general remote MCP client under the user's bearer token.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The call_tool function allows arbitrary remote MCP tool execution by name with attacker-controlled arguments, using the cached OAuth token obtained by the login helper. In the context of a gateway login utility, this is especially dangerous because users may trust it as mere authentication plumbing while it actually grants a generic command surface against the remote MCP service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal