ClawHub

Hemlane MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Hemlane automation, but it can capture live browser session credentials and perform real Hemlane account actions with limited user-facing safeguards.

Install only in a controlled environment for an authorized Hemlane account. Treat any captured auth file or terminal output as a live session secret, avoid shared logs, prefer dry-run/read-only tools first, and do not enable write tools unless you understand the hard-coded caller gate and the production effects of tenant messages, referrals, maintenance comments, lease creation, and e-sign packet creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes powerful capabilities including shell, network, file read/write, and environment access, but does not declare permissions or boundaries. In a skill specifically designed to capture auth artifacts and replay live Hemlane requests, this omission prevents meaningful consent and review, increasing the chance of unauthorized data access or unintended account actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose emphasizes HAR analysis and workflow reconstruction, but the skill also captures live browser auth material, connects to live Hemlane endpoints, performs write actions, and creates lease/e-sign artifacts. This mismatch is dangerous because users may invoke what appears to be an analysis skill while actually enabling credential harvesting and state-changing operations on real accounts.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill description frames this server as HAR analysis, GraphQL extraction, and workflow reconstruction from saved captures, but the code exposes live write actions that can send messages, submit referrals, and post comments in Hemlane. In an agent/tooling context, capability mismatch is dangerous because users or higher-level orchestration may trust the skill as read/analysis-only while it can perform real state-changing operations against a production account.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The server authorizes write actions by reading caller identity from ambient runtime environment metadata, which is outside the declared HAR-analysis purpose and creates a hidden trust dependency on deployment context. In agent environments, ambient metadata is often easier to misconfigure, spoof across boundaries, or accidentally inherit than an explicit authenticated approval flow, making live-write authorization fragile.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The docstring and signature imply that send_tenant_reply uses the supplied auth_file, but the implementation ignores it and relies on separate runtime auth handling. This mismatch can cause operators to believe writes are scoped to a specific captured credential file when the tool may instead use ambient credentials, increasing the risk of unintended actions in the wrong account or session.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
submit_referral advertises auth_file as the credential source but ignores it in implementation, creating a misleading security boundary. In an automation setting, that can lead to writes being executed with ambient or previously loaded credentials rather than the operator-selected auth artifact.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
post_workorder_comment presents auth_file as an input controlling authentication, but the argument is unused. This is dangerous because it obscures the real trust model for a live write operation and may cause comments to be posted under unintended credentials or sessions.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
post_maintenance_comment similarly ignores auth_file despite documenting it as required. For a production write action, misleading auth semantics are a real security risk because they can produce unauthorized or misattributed state changes through hidden ambient credentials.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script is explicitly designed to extract live authentication material from a running browser session, including authorization headers, CSRF tokens, and cookies, then print or persist them for reuse. That creates a credential-harvesting capability that exceeds passive HAR analysis and could enable full session hijacking or unauthorized API access if the output is misused or exposed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code injects JavaScript into the live Hemlane page to monkey-patch fetch and intercept outbound request metadata and bodies, which is an invasive runtime manipulation of the user's authenticated session. In the context of a real estate management platform, this can capture sensitive tenant, financial, or maintenance workflow data and bypass normal user awareness.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script calls Network.getCookies for Hemlane domains and reconstructs a reusable Cookie header, then includes it in output. Exporting browser cookies from an authenticated session directly enables session replay and impersonation, especially when combined with the captured authorization and CSRF headers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to capture fresh authentication headers from a live Brave session via CDP, which can expose cookies, bearer tokens, CSRF tokens, and other session secrets. Without a strong warning about sensitivity, storage, retention, and misuse risk, the skill normalizes credential extraction and increases the chance those secrets are mishandled or reused beyond intended scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises tools for sending tenant replies, submitting referrals, posting comments, and creating lease artifacts without clearly warning that these are live, write-capable actions against Hemlane accounts. In this context, understated documentation can lead to unintended modifications of production records, communications, or legal/transactional artifacts by operators who believe they are only analyzing captured data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This file documents numerous real-looking GraphQL queries and mutations that expose highly sensitive fields including emails, phone numbers, mailing addresses, payment account last4, bank sync metadata, tenant financial balances, maintenance tokens, and downloadable document/photo URLs. In the context of a skill explicitly designed to reconstruct workflows from HAR/browser session artifacts, publishing these operations without redaction or privacy guidance materially increases the risk of credential/session misuse, unauthorized data access, and replication of sensitive tenant/owner financial workflows.

Vague Triggers

Low
Confidence
80% confidence
Finding
This catalog exposes a large set of high-impact GraphQL queries and mutations, including operations that access sensitive financial, tenant, maintenance, and contact data or perform state-changing actions, but the file provides no visible trigger scoping, least-privilege boundaries, or invocation constraints. In the context of a skill designed to reconstruct workflows from HAR/session artifacts, this broad operational surface materially increases the risk of overbroad data access, unintended replay of privileged actions, and abuse if an agent or downstream component invokes operations from the catalog without strong external authorization checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly instructs updating `Public/DETAILS.md` with occupancy status, which implies writing potentially sensitive tenancy information into a public-facing file without any warning, access control discussion, or data-classification guidance. In the context of a property-management integration that handles tenant and lease data, this increases the risk of unintended disclosure of occupancy or resident-related information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The runbook instructs an operator to submit referral data containing multiple pieces of personal information directly to a live external API, but it provides no warning, consent requirement, or data-handling guardrails. In the context of an agent skill that reconstructs requests from HAR/browser artifacts, this increases the risk of unauthorized transmission of third-party PII or replay of previously captured data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions explicitly direct use of fresh browser session cookies and CSRF/header material to perform a live request, which normalizes handling of active session credentials without any warning or restriction. Because the skill is built around HAR-derived patterns and browser session artifacts, this materially increases the chance of credential misuse, session replay, or unauthorized actions against a live Hemlane account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints a catalog that includes `sampleVariables` taken directly from captured GraphQL POST bodies in HAR files. HAR captures for a property-management platform can contain tenant, owner, financial, maintenance, or session-linked data, so echoing those variables to stdout or logs can unintentionally disclose sensitive information to terminals, CI logs, shared artifacts, or downstream tooling.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script's primary behavior is to capture sensitive authentication artifacts and immediately print them, with optional disk output, yet it provides no user-facing warning, confirmation, or disclosure about the sensitivity of the material being extracted. This significantly increases the chance of accidental credential exposure through terminals, logs, shell history, or shared files.

Missing User Warnings

High
Confidence
98% confidence
Finding
Sensitive cookies are collected from the browser and may be written to disk via --out-file without encryption, access controls, or confirmation. In this skill context, that is especially dangerous because the extracted material can authorize actions in Hemlane workflows involving tenant communications, maintenance, and financial data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends captured session credentials and CSRF headers to a live production API to perform a state-changing action, but there is no explicit confirmation, safety interlock, or clear warning that real account actions will occur. In the context of a skill designed to reconstruct workflows from browser artifacts, this is dangerous because saved auth material may be replayed unintentionally, causing unauthorized or accidental lease creation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Creating an e-sign packet is a consequential downstream action that can trigger legal-signature workflow state changes, yet the code performs it automatically when --create-esign is set with no separate warning or confirmation. Because this skill operates on HAR-derived session artifacts, a user may not appreciate that replaying captured credentials can initiate legally significant document flows in a real tenant account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script prints extracted GraphQL operations, variables, and queries directly to stdout from HAR files, which commonly contain sensitive application data such as tenant details, tokens, message contents, or internal identifiers. In this skill's context—reconstructing Hemlane workflows from saved browser captures—the likelihood of handling real production session artifacts makes inadvertent exposure more likely and increases the practical risk of data leakage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes sensitive, user-supplied comment content to a predictable fixed path under /tmp. On multi-user systems, this can expose private maintenance-request data to other local users through race conditions, symlink attacks, or residual file recovery, especially because the file name is constant and there is no secure creation, permission-setting, or cleanup.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal