ClawHub

qlik

Security checks across malware telemetry and agentic risk

Overview

This Qlik Cloud skill appears purpose-built rather than malicious, but it needs review because it gives an agent broad Qlik Cloud read/write power without enough guardrails around credentials, tenant targeting, or destructive actions.

Install only if you are comfortable giving the agent Qlik Cloud access with the permissions on the API key. Use a least-privilege, revocable API key; avoid storing it in committed files; verify QLIK_TENANT is your exact HTTPS Qlik Cloud domain; and require human confirmation before delete, reload cancel, automation run, alert trigger, or other production-impacting actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This skill includes a destructive capability that permanently deletes Qlik apps, while the surrounding skill description emphasizes analytics, querying, and platform integration rather than high-risk destructive administration. In an agent setting, this mismatch increases the chance that users or higher-level planners invoke deletion unexpectedly, without sufficient awareness that the tool can cause irreversible loss of business content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to store a long-lived Qlik API key in TOOLS.md, which is likely a plaintext configuration file that may be committed to source control, shared with other agents, or exposed through workspace access. In the context of an agent skill that can manage apps, reloads, users, automations, and data, compromise of this key could grant broad access to tenant resources and business data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README demonstrates passing the API key via inline environment variables on the command line without warning about operational exposure risks such as shell history, process listings in some environments, logging, and accidental copy/paste leakage. Because this skill targets Qlik Cloud administrative and data-access operations, exposure of the token could enable unauthorized searches, reloads, user/space operations, and access to analytics assets.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation description is broad enough to match many generic analytics, dashboard, business-data, or Qlik-related requests, which can cause the skill to trigger in situations broader than intended. In an agent setting, overbroad matching can route user requests to a powerful integration that has read/write capabilities against enterprise data and operational resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises state-changing operations such as app creation/deletion, reload triggering/canceling, automation execution, and alert triggering without prominent safety warnings or confirmation requirements. In practice, this could let an agent perform destructive or operationally disruptive actions on production analytics assets based on ambiguous or mistaken user prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup section tells users to place a Qlik API key in configuration but gives no warning about secret handling, storage, rotation, or least privilege. This increases the chance of credential leakage through checked-in files, shared skill configs, logs, or screenshots, which could expose tenant data and administrative operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs an irreversible DELETE request immediately once given an app ID and valid credentials, with no confirmation, dry-run mode, or secondary validation of the target. In an autonomous or semi-autonomous agent workflow, this makes accidental invocation, prompt-induced misuse, or parameter confusion much more likely to result in permanent app deletion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script explicitly advertises that it sends natural-language questions to Qlik Cloud and returns actual data, but it provides no runtime warning, consent check, or disclosure to the end user before transmitting potentially sensitive business queries and receiving potentially sensitive results. In an agent skill context, this increases the risk of users unknowingly sending confidential information to an external SaaS endpoint.

External Script Fetching

High
Category
Supply Chain
Content
TENANT="${QLIK_TENANT%/}"
[[ "$TENANT" != http* ]] && TENANT="https://$TENANT"

curl -sL \
  -H "Authorization: Bearer ${QLIK_API_KEY}" \
  -H "Content-Type: application/json" \
  "${TENANT}/api/v1/apps/${APP_ID}" | python3 -c "
Confidence
87% confidence
Finding
curl -sL \ -H "Authorization: Bearer ${QLIK_API_KEY}" \ -H "Content-Type: application/json" \ "${TENANT}/api/v1/apps/${APP_ID}" | python

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal