ClawHub

Pdauth

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate OAuth integration tool, but it gives agents broad, persistent ability to act on connected third-party accounts without enough built-in scoping or revocation guidance.

Review this before installing if you plan to connect sensitive accounts. Authorize only the specific apps needed, inspect OAuth scopes, confirm every send/write/update action before the agent runs it, use dedicated or limited accounts where possible, and know how to revoke Pipedream or app access afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables an agent to obtain OAuth authorization and then perform API actions on a user's behalf across thousands of services, but it does not clearly warn that authorization may grant ongoing delegated access and broad account permissions. In an agent setting, that omission is dangerous because users may click links without understanding scope persistence, and operators may invoke powerful third-party actions without informed consent boundaries.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples normalize impactful cross-service operations such as sending messages, creating pages, updating data, and adding content to accounts without warning users or developers to review requested scopes, confirm target resources, or consider destructive effects. In this context, the skill is specifically designed to let an agent act on user-linked accounts, so omission of safety guidance increases the chance of accidental misuse, overbroad authorization, or unintended account changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal