ClawHub

Agents Sdk

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Cloudflare Agents SDK skill whose sensitive examples fit its purpose, but several examples need security hardening before production use.

Install only if you are building Cloudflare Agents SDK projects. Treat examples as starting points: avoid long-lived tokens in URLs, verify webhooks using a single buffered raw body, connect only trusted MCP servers, filter model-accessible tools, and restrict browser automation to authorized domains and non-sensitive sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The webhook example reads the request body twice with `await request.text()`: once for signature verification and again before `JSON.parse`. In the Fetch/Workers request model, the body stream is typically consumable only once, so the second read can fail or return an empty body, causing verification/parsing bugs and potentially leading developers to disable verification or implement unsafe workarounds in production webhook handlers.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broadly scoped to many common agent-building tasks, including stateful agents, workflows, chat apps, voice agents, MCP servers, and browser automation. In systems that auto-load skills from natural-language descriptions, such broad matching can cause this skill to be selected in unrelated contexts, increasing prompt-surface area and the chance that its instructions bias behavior or override a more appropriate, narrower skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document promotes browser-based scraping, screenshots, and page interaction but does not warn about collecting sensitive page contents, authenticated-session data, or terms/privacy constraints. In an agent SDK context, this omission is significant because users may enable broad browsing capabilities and let models access third-party pages without understanding the data-handling and consent risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that the LLM writes async JavaScript IIFEs that run in a fresh browser session, but it does not warn that model-generated code will actively execute against visited pages. That creates a meaningful risk of unintended actions, data extraction, interaction with authenticated sessions, or abuse of third-party sites if developers expose the tool without strict guardrails.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly demonstrates passing an authentication token in the URL query string (`token=...`) without warning about the security tradeoffs. Query parameters are commonly exposed in browser history, server and CDN logs, analytics, referrer headers, and monitoring tools, which can lead to credential leakage and unauthorized access if the token is reused or long-lived.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example encourages connecting to arbitrary external MCP servers with bearer credentials and then merging all returned MCP tools directly into the model-accessible toolset. This creates a real trust-boundary problem: a malicious or compromised MCP server could expose dangerous tools or harvest sensitive data, and the documentation does not warn about validating server trust, scoping credentials, or limiting which tools are exposed to the model.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal