ClawHub

Pinkr Crm

Security checks across malware telemetry and agentic risk

Overview

This CRM skill has a legitimate purpose, but it gives an agent broad authenticated CRM access and can expose CRM bearer tokens outside the intended service boundary.

Install only if you trust this skill with Pinkr CRM admin access. Use least-privilege CRM credentials, keep unrelated secrets out of any readable .env file, avoid logging login output, and require the skill to reject non-Pinkr URLs and limit endpoints before allowing autonomous use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares tool capabilities that can read environment variables and local files and make network requests, but it does not declare explicit permissions governing those behaviors. In a credentialed CRM integration, this increases the chance of unintended secret access or external data transmission without clear policy boundaries or user awareness.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The API wrapper explicitly allows a full URL whenever the endpoint starts with 'http', which expands the tool from a Pinkr CRM client into a generic authenticated HTTP POST client. In this context, that is dangerous because the code will still attach the CRM Bearer token to the outbound request, enabling requests to attacker-controlled hosts outside the declared service boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Because call_api accepts arbitrary full URLs and always sends the Authorization header with the CRM token, a caller can direct the client to an external server and exfiltrate valid bearer credentials. In a CRM integration handling member data, theft of that token could grant unauthorized access to sensitive customer information and downstream administrative actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition says the skill should act based on general user questions and automatic intent recognition, without tight invocation constraints. Because this skill can authenticate to an external CRM and access member records, broad triggering could cause accidental execution on ambiguous prompts and unintended disclosure or retrieval of customer data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes sending administrator credentials and customer/member data to an external CRM API but does not clearly warn users that sensitive data leaves the local environment. This lack of transparency is especially risky because the integration handles authentication secrets and potentially personal information, creating privacy, compliance, and consent issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The login command prints the bearer token directly to stdout, which can expose credentials through terminal logs, shell history capture, CI logs, agent transcripts, or other output collection systems. For an agent skill, stdout is often surfaced to other components, so this increases the chance of inadvertent credential disclosure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal