ClawHub

Mycobot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate WhatsApp Business integration, but it gives an agent broad live-account powers with limited guardrails.

Install only if you intend to let an agent operate a real WhatsApp Business account through Maton. Verify the publisher and name mismatch, use a limited or dedicated API key where possible, specify the intended Maton connection explicitly, and require human confirmation before sending messages, deleting resources, creating templates, or changing business profile details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents actions that can send messages, upload media, and delete connections or media, but it does not include clear warnings about privacy, consent, irreversible actions, or the sensitivity of customer communications. In an agent setting, that omission increases the risk of unsafe autonomous use against real user/customer data or destructive operations without adequate confirmation.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Media

```bash
DELETE /whatsapp-business/v21.0/{media_id}
```

### Message Templates
Confidence
87% confidence
Finding
DELETE /whatsapp-business/v21.0/{media_id}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Template

```bash
DELETE /whatsapp-business/v21.0/{whatsapp_business_account_id}/message_templates?name=template_name
```

### Phone Numbers
Confidence
89% confidence
Finding
DELETE /whatsapp-business/v21.0/{whatsapp_business_account_id}/message_templates?name=template_name

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal