ClawHub

Trakt Read-only

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Trakt.tv read-only lookup skill with optional user-started OAuth setup for playback data, and I found no hidden exfiltration, persistence, or destructive behavior.

Install this if you are comfortable letting an agent query your Trakt viewing/profile data. Only configure TRAKT_ACCESS_TOKEN and TRAKT_CLIENT_SECRET if you need playback progress or device activation, keep those values out of shared logs and repositories, and revoke or rotate them if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is marketed as read-only, but it also exposes OAuth device authorization and device token exchange flows. Even if intended for read-only scopes, token acquisition materially expands the skill's capabilities and introduces handling of secrets and bearer tokens, which changes the trust and attack surface compared with a purely read-only public-data skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script exposes OAuth device-flow commands (`device-code` and `device-token`) even though the skill is described as a read-only Trakt activity checker. While the access token may still be used for read-oriented API calls, adding token acquisition and authentication flow handling expands the skill from passive querying into credential and session management, which increases abuse potential and exceeds the stated scope.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code exchanges a device code plus `TRAKT_CLIENT_SECRET` for an OAuth access token, meaning the skill can directly participate in credential issuance rather than only consuming a token. In an agent setting, that is more dangerous than simple read-only API access because it introduces secret handling, token minting, and a path to obtaining live user credentials if the environment is over-privileged or misused.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal