ClawHub

Flux

Security checks across malware telemetry and agentic risk

Overview

Flux appears to be a legitimate shared-state integration, but it gives agents deletion and admin-configuration powers that deserve review before installation.

Install only if you want agents to send state to a Flux service. Prefer a private or local FLUX_URL for sensitive workflows, use a namespace-scoped least-privilege FLUX_TOKEN, do not publish secrets or personal data, avoid setting FLUX_ADMIN_TOKEN for normal agent sessions, and require explicit human approval before delete, batch-delete, or admin-config operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes shell-driven operational capabilities but does not declare permissions or clearly constrain what commands/actions are available. In an agent environment, undeclared shell access increases the chance of over-broad execution, misuse of privileged environment variables, and unsafe invocation of destructive or administrative operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a publish/query coordination tool, but it also documents destructive deletion, connector credential management, service inspection, and admin configuration changes. This mismatch can cause agents or operators to invoke privileged or destructive behavior under the assumption that the skill is read/write coordination only, materially increasing the chance of unauthorized state changes or credential handling.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill's stated purpose is publishing events and querying shared state, but it also exposes administrative configuration management via /api/admin/config. This expands the capability far beyond the declared scope and creates a path for unauthorized or unintended reconfiguration of the backend if an agent or user invokes it with admin credentials.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Administrative config read/update capability is unjustified for a coordination/state-sharing skill and violates least privilege. In an agent setting, this mismatch is dangerous because callers may trust the skill description and unknowingly grant a tool access to sensitive operational settings and privileged mutation paths.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
Connector enumeration is outside the advertised publish/query-state purpose and reveals extra infrastructure metadata that may aid reconnaissance. While less severe than direct mutation, exposing operational topology and status can help an attacker understand integrations and target weak points.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The help text claims FLUX_TOKEN is only for write operations, but the code attaches it to all API calls, including reads. This misrepresentation can cause users and higher-level agents to misunderstand the privilege and data-access scope of the token, increasing the risk of overbroad credential exposure and unsafe automation decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes publishing observations and querying shared state through a public default Flux endpoint, but it does not clearly warn users that data is transmitted to a remote service and may be persistently retained in an event history. In an agent context, this can lead to unintentional disclosure of sensitive operational, user, or system data because agents may follow examples literally and publish information without understanding the persistence and sharing implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The usage examples explicitly instruct agents to run publish commands, but they omit any caution that the command sends data off-host to a remote service and that the data may become part of an immutable audit trail. Because this is an agent skill, examples strongly shape behavior, increasing the chance that real observations, environment details, or user-provided content are exfiltrated to an external system without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes entity deletion commands with no warning about permanence, scope, or confirmation requirements. In a shared persistent world-state system, deletion can remove coordination data relied on by multiple agents and may cause cascading operational errors or data loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill lists connector token storage/removal endpoints without any warning about handling secrets, token scope, auditability, or exposure risks. Credential-management features are especially sensitive because misuse can leak third-party access or let an agent store/replace tokens beyond its intended authority.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Admin configuration update capability is described as a normal operation without emphasizing that it can change system-wide behavior such as rate limits or other runtime controls. In a multi-tenant/shared-state service, misconfiguration can disrupt availability, weaken safeguards, or alter behavior for all users in the environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The admin-config update path sends privileged configuration changes immediately with no user-facing warning, dry-run, or confirmation. In agentic workflows, this increases the chance of accidental or prompt-induced destructive configuration changes, potentially affecting service behavior, authentication, or integrations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Batch deletion performs destructive remote actions without confirmation or strong safety messaging. In an agent context, a malformed filter or prompt injection could trigger large-scale deletion of shared state, causing data loss and coordination failures across systems.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `GET /api/state/entities/:id` — Get specific entity

**Entity Management:**
- `DELETE /api/state/entities/:id` — Delete single entity
- `POST /api/state/entities/delete` — Batch delete (by namespace/prefix/IDs)

**Real-time Updates:**
Confidence
90% confidence
Finding
DELETE /api/state/entities/:id`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Connectors:**
- `GET /api/connectors` — List connectors and status
- `POST /api/connectors/:name/token` — Store PAT credential
- `DELETE /api/connectors/:name/token` — Remove credential

**Admin:**
- `GET /api/admin/config` — Read runtime config
Confidence
88% confidence
Finding
DELETE /api/connectors/:name/token`

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal