ClawHub

CordysCRM

Security checks across malware telemetry and agentic risk

Overview

This Cordys CRM skill is mostly coherent as an authenticated CRM assistant, but it gives broad live CRM access and includes an overbroad raw API escape hatch plus local identity persistence that users should review carefully.

Install only if you trust this skill with Cordys CRM credentials and business records. Use least-privilege API keys, set CORDYS_CRM_DOMAIN explicitly, do not enable CORDYS_ALLOW_UNTRUSTED, avoid or remove the raw command if possible, and treat User.md as sensitive local identity data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to be a concise command-mapping utility, but the body describes a stateful business assistant that profiles users, executes API operations, and produces business conclusions. That gap matters because it obscures the true trust boundary and can cause operators to enable a much more privileged skill than intended.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented automatic creation and reuse of `User.md` stores identity and role context on disk without clear necessity for a simple command-mapping skill. Persistent local identity data increases the risk of privacy leakage, stale authorization context, and cross-session misuse, especially on shared workstations or multi-user agent environments.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill writes personally identifiable account data from `whoami` into a local `User.md` file even though the declared skill purpose is command translation. This expands data collection and retention beyond necessity, creating privacy and secret-sprawl risk if the skill directory is exposed, synced, logged, or later processed by other tools.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatic identity discovery and behavior-based role inference are outside the stated scope of a CLI command-mapping skill and introduce unnecessary surveillance and authorization assumptions. Inferring roles from historical behavior can misclassify users and cause the system to generate commands or views inconsistent with least-privilege expectations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
When identity cannot be recognized, the engine defaults to `sales-manager`, explicitly described as having broader coverage. This is a classic fail-open privilege decision: ambiguity results in elevated access posture, which can lead the agent to expose, request, or act on broader CRM data than the user should receive.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The implementation materially exceeds the declared skill scope. Instead of only mapping natural language to safe `cordys crm` commands, it is a fully functional authenticated CRM client that can directly access live backend data, increasing the attack surface and enabling unintended data access or actions under the user's credentials.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `raw` command allows arbitrary authenticated requests using the loaded CRM credentials, which bypasses the narrow, task-specific command set suggested by the skill description. Although there is a domain check, it still permits broad access to any endpoint on the trusted domain and can be forced to other domains via `CORDYS_ALLOW_UNTRUSTED=1`, creating a serious capability for data exfiltration or unauthorized API use.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script exposes a generic `raw` command that lets a user supply arbitrary HTTP methods, paths, and extra curl arguments while automatically attaching CRM API credentials. That goes beyond a narrow natural-language-to-approved-command mapping skill and materially expands the attack surface, because an LLM or user can invoke undocumented or sensitive endpoints and potentially exfiltrate data.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The code attempts to validate target domains, but explicitly allows bypassing that protection via `CORDYS_ALLOW_UNTRUSTED=1`, after which requests continue with `X-Access-Key` and `X-Secret-Key` headers intact. This creates a direct credential exfiltration path to arbitrary attacker-controlled URLs, which is especially dangerous in an agent skill where prompt injection or misconfiguration could trigger `raw` requests.

Vague Triggers

Medium
Confidence
84% confidence
Finding
An overly broad trigger description can cause accidental activation from ordinary language, which is more dangerous here because the skill has access to secrets, shell, persistent storage, and external network operations. In this context, misfires are not merely UX issues: they can lead to unintended CRM queries or state changes under a privileged context.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The sample utterance is generic and lacks domain scoping, making it plausible that normal conversational text could activate the skill. Because this skill can perform live API access and role-based data retrieval, ambiguous examples materially increase the risk of unintended data exposure or unintended external requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it will automatically write `User.md` when missing or invalid, but it does not clearly warn the user that identity information will be persisted locally. Silent persistence of user identity and role data is risky because it creates privacy exposure and may affect future sessions without the user's awareness.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The spec instructs the agent to read `User.md` and substitute identifiers such as `{userId}` and `{departmentId}` at runtime without any consent or disclosure boundary. In an agent setting, this can cause unintended access to local contextual data and silent insertion of sensitive internal identifiers into commands, logs, or downstream requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persists user ID, name, position, email, and derived role to `User.md` without clear upfront disclosure or consent. Even if the backend permissions remain intact, this creates avoidable privacy and compliance risk because sensitive profile data is retained locally and may be read by other processes, leaked via backups, or committed accidentally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
A silent background refresh re-fetches and updates account identity data after 7 days without notifying the user. This undermines transparency and user control over data processing, and it can cause unexpected collection or persistence of updated account details beyond the user's awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal