ClawHub

Salesforce AI Agent Script

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Salesforce Agent Script helper, but it needs review because its automatic validator can use your local Salesforce login and default org to query Salesforce configuration.

Install only if you are comfortable with Salesforce CLI-based validation running against a clearly chosen sandbox or least-privileged org. Before enabling hooks, review the validator, set the intended validation org explicitly, avoid using a production default org, and treat trace files, OAuth secrets, org aliases, and publish/activate commands as sensitive operational material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return result

        try:
            proc = subprocess.run(
                ["sf", "data", "query", "--query", soql, "-o", self.validation_org, "--json"],
                text=True,
                capture_output=True,
Confidence
84% confidence
Finding
proc = subprocess.run( ["sf", "data", "query", "--query", soql, "-o", self.validation_org, "--json"], text=True, capture_output=True,

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This template explicitly enables agent-triggered external HTTP callouts through a generic Named Credential and placeholder method/path values, which broadens the skill from deterministic agent authoring into arbitrary outbound integration. In an agent context, this can be dangerous because future users may wire sensitive agent inputs to external endpoints, causing data exfiltration or unintended side effects without sufficient validation or governance.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code turns a post-tool syntax validator into an active org-inspection tool that queries users, permission sets, Apex classes, and flows. In a hook context, that is dangerous because merely working on a local .agent file can trigger unexpected access to connected Salesforce org data and disclose environmental or authorization details through validator output.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The validator reads environment variables and auto-resolves a target org, then uses that context for external inspection without clear user opt-in. For a syntax-validation hook, this broadens capability significantly and can cause unintended data access based on ambient credentials or developer workstation configuration.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file is clearly testing-focused documentation embedded in a skill whose manifest explicitly says it should not trigger for agent testing work. That mismatch can cause the wrong skill to activate, leading users to receive guidance from an unintended domain and weakening routing boundaries between skills.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The cross-reference sends Evaluation API testing patterns to another skill while this skill still contains substantial testing guidance. This inconsistency can confuse skill selection and create ambiguous authority, increasing the chance that an agent uses incomplete or conflicting instructions during testing-related tasks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough to activate on general discussion of deterministic agent patterns, slot filling, or instruction resolution, not just when the user wants this specific skill. Over-broad triggering increases the chance the skill is selected in contexts where shell/CLI/org-inspection behavior is unnecessary, expanding exposure to sensitive files, environment data, and target-org operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document provides ready-to-run deploy and publish commands against a named real org and does not clearly warn that executing them changes remote Salesforce state. In an agent-skill context, users may copy/paste these commands during routine validation, causing unintended deployments, agent publication, or changes in a shared environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill enables implicit invocation via `allow_implicit_invocation: true`, which can cause the agent to auto-select this skill outside narrowly enforced routing boundaries. Because the description contains broad trigger language and this YAML does not encode concrete constraints or exclusions, the skill may activate in unintended contexts, increasing the chance of prompt-surface expansion, misuse, or interference with other safer/specialized skills.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document includes a client-credentials OAuth example that embeds the client secret directly in a curl command without any warning about protecting secrets. This can lead users to expose secrets via shell history, process listings, screenshots, CI logs, or copied terminal transcripts, creating avoidable credential leakage risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly tells users that debugging views expose exact prompts, raw tool-call JSON, and variable state, including security-relevant variables, but it provides no caution about secrets, personal data, or internal instructions appearing in those traces. In a debugging and observability context, this omission can lead users to overshare trace data, store it insecurely, or grant broad access to highly sensitive execution artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI workflow exports and prints full trace JSON with jq recipes that surface prompt contents, enabled tools, function errors, and variable updates, yet it never warns that these artifacts may include confidential conversation data, internal instructions, or sensitive operational state. This is dangerous because users may routinely dump traces to terminals, files, CI logs, or tickets, creating avoidable disclosure paths.

Ssd 3

Medium
Confidence
97% confidence
Finding
The file exposes concrete test-org metadata, including org alias, agent user email/identifier, API version, and instance URL, which can aid reconnaissance and targeting of that environment. Even if the org is non-production, publishing internal environment details in skill documentation expands the attack surface and may help an attacker craft phishing, credential stuffing, or environment-specific social engineering attempts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal