ClawHub

BookStack API

Security checks across malware telemetry and agentic risk

Overview

This BookStack skill appears coherent and not deceptive, but it needs review because it can change or delete live wiki content with broad activation wording and no built-in delete confirmation.

Install only if you intentionally want an agent to manage a BookStack instance. Use a dedicated least-privilege token, avoid granting delete rights unless needed, and require explicit confirmation before updates or deletions, especially for vague requests about docs or a wiki.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README tells the agent to use this skill for very broad, natural-language phrases like 'update the docs' or 'check the wiki' even when BookStack is not explicitly named. This can cause unintended activation of a write-capable integration, increasing the chance of accidental edits, deletions, or data exposure in the wrong system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README prominently advertises create, update, and delete operations against a live knowledge base but does not warn that these actions modify user data and may be irreversible. In an agent setting, omission of such warnings raises the risk of destructive actions being taken without adequate user awareness or confirmation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger text is overly broad, including generic phrases like 'update the docs' or 'check the wiki' even when BookStack is not named. This can cause the agent to select this skill in unrelated contexts, leading to unintended access to BookStack content or accidental modification of a remote knowledge base.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation prominently advertises create, update, and delete operations against a live remote wiki without warning about destructive effects or recommending user confirmation. In the context of an agentic skill, this increases the chance of accidental data loss, unauthorized content changes, or irreversible deletions on production documentation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The delete_book command performs an irreversible deletion immediately with no confirmation, dry-run, or force flag. In an agent-executed skill, a mistaken command, prompt confusion, or parameter mix-up can destroy documentation content unexpectedly, making this more dangerous than a typical manual CLI.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The delete_chapter command deletes content without any user-facing warning or confirmation. Because this skill is designed for automation and agent use against a knowledge base, accidental invocation can remove substantial documentation structure and nested content with no guardrail.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The delete_page command irreversibly removes a page with no confirmation step. In this skill context, pages are core documentation artifacts, so accidental or induced deletion can cause integrity loss and operational disruption even without a traditional code-execution flaw.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal