ClawHub

Max Auth

Security checks across malware telemetry and agentic risk

Overview

Max Auth mostly matches its authentication purpose, but its local server exposes session tokens and secret-handling flows in ways that need careful review before installation.

Install only after reviewing and hardening the deployment. Keep it local or tightly restrict the reverse proxy, avoid passing the master password on the command line, do not expose secret endpoints publicly, restrict returnUrl handling, and treat session tokens, grant records, and secret-form tokens as sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes a networked authentication service and secret-handoff mechanism, but it does not declare the corresponding permissions/capabilities. Hidden or undeclared access to environment data and networking is dangerous because operators and downstream systems cannot accurately assess what the skill can do, especially for a component that handles passwords, passkeys, bearer tokens, and secret retrieval APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a real security concern because the documented purpose understates several sensitive behaviors: delegated grants, bearer-token verification, programmatic secret retrieval, subprocess-based network identity discovery, and especially redirecting to arbitrary return URLs with an auth token appended. Those behaviors expand the attack surface substantially and can enable token leakage, confused-deputy flows, unauthorized delegation, and misuse of secrets if integrators rely on the simplified description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The delegated grant feature expands this local auth server into a general authorization broker: any active session can mint grants for arbitrary child session keys, and grant validation is then treated as equivalent to authentication. Because grants are not bound to a separate secret, caller identity, or stronger authorization policy, compromise of one session can be leveraged to impersonate other channels or automation contexts for up to the grant lifetime.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The secret-form creation and retrieval endpoints are unauthenticated, allowing any local caller who can reach the service to create phishing-style secret collection pages and retrieve submitted values. This turns the auth gate into a reusable secret brokerage service unrelated to simple authentication, which is especially dangerous because the UI presents itself as a trusted security component.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
These endpoints collectively expose authorization and secret-handling capabilities without requiring prior authentication, effectively creating a local-purpose platform for brokering trust and collecting sensitive data. In the context of an auth skill, this is more dangerous than in a generic web app because users and other components are likely to trust anything served by the authentication gateway.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI requires the master password as a positional command-line argument, which commonly leaks into shell history, process listings, terminal logs, and audit systems. That can expose the root secret protecting all future authentications to other local users, monitoring tools, or forensic artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The served secret form asks users to enter arbitrary sensitive information but provides little disclosure about who requested it, how it will be used, where it is stored, or when it is retrieved. In an authentication-branded interface, that lack of transparency materially increases phishing and social-engineering risk because users are more likely to trust and submit secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal