ClawHub

Salesforce AI Agentforce Observability

Security checks across malware telemetry and agentic risk

Overview

This Salesforce observability skill is mostly coherent, but it handles very sensitive trace data and includes under-scoped internal trace-capture guidance that users should review carefully before installing.

Install only for authorized Salesforce administrators or engineers who are permitted to access Agentforce/Data 360 telemetry. Treat exported Parquet, JSON, CSV, logs, HAR files, prompts, messages, action inputs/outputs, and quality traces as sensitive data: use narrow date/session filters, protected storage, redaction before sharing, and deletion when no longer needed. Avoid the internal Builder trace and HAR capture workflow unless it is explicitly approved by your organization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and operationally relies on sensitive capabilities such as environment access, filesystem read/write, network calls, and shell usage, yet does not declare any permissions or constraints. This weakens reviewability and least-privilege enforcement, making it easier for a skill to access credentials, local keys, org metadata, or write artifacts without explicit user or platform scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is observability and telemetry analysis, but the behavior described extends into credentialed authentication flows, direct query execution against Data Cloud, retrieval/cancellation/count operations, extraction of additional quality/audit datasets, URL generation, and autonomous hook behavior. This mismatch increases the chance that users or orchestrators grant trust to a skill for 'analysis' while it performs broader privileged actions, including access to sensitive telemetry and derived quality/safety data.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This documentation goes beyond the declared STDM/Data Cloud observability scope and provides reverse-engineered internal Builder trace endpoints, auth patterns, and capture procedures for extracting transient telemetry not intended for normal supported access. That materially expands operator capability into internal session inspection, including access to full prompts, tool definitions, variable state, and safety metadata, which increases the risk of unauthorized data access and misuse of internal interfaces.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file explicitly instructs users to perform manual HAR export and browser network capture of Builder sessions to obtain telemetry. That is dangerous because HAR files and captured requests can contain session cookies, bearer tokens, message content, prompt data, and other sensitive execution details, enabling credential leakage or unauthorized replay/inspection far beyond the skill's stated purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal