ClawHub

Catfee AgentFlow工作流

Security checks across malware telemetry and agentic risk

Overview

This is a real workflow-management skill, but it can automatically modify remote AgentFlow data and upload files to a hard-coded plaintext HTTP server with unclear scoping and consent.

Review before installing. Only use this if you trust the AgentFlow service at the hard-coded IP address and are comfortable sending project details, requirements, tasks, and selected file contents there. Require explicit confirmation before syncing, uploading, deleting, or changing statuses, and avoid sensitive documents until HTTPS, authentication, workspace scoping, and data retention are documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes clear network capabilities via a hardcoded remote MCP endpoint, but no permissions are declared to signal that it can send data off-host. This weakens user awareness and platform policy enforcement, increasing the chance that project data, task metadata, or attachments are transmitted unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The description does not disclose search and context-data management features even though the skill documents search plus log/get/delete context operations. Hidden data access and context mutation capabilities can surprise users and increase the risk of unintended retrieval, retention, or deletion of workflow context.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The description does not disclose search and context-data management features even though the skill documents search plus log/get/delete context operations. Hidden data access and context mutation capabilities can surprise users and increase the risk of unintended retrieval, retention, or deletion of workflow context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Trigger phrases such as '创建项目', '查看任务', '更新状态', and similar generic terms are broad and not scoped by repository, workspace, system, or confirmation rules. This increases the risk of unintended invocation in ordinary conversation, causing accidental remote actions against the workflow system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents delete_project and delete_requirement operations without any warning about irreversibility, confirmation, or access control expectations. In an agent setting, this can lead to accidental or prompt-induced destructive actions that cause immediate data loss across projects or requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs uploads to a remote HTTP endpoint using a raw IP address, without privacy notice or transport-security guarantees. Because attachments may include requirement documents and task files, this creates significant confidentiality and integrity risk through interception, exfiltration, or upload to an untrusted service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The upload flow reads an arbitrary local file and transmits its contents to a remote service, but the script provides no explicit warning, confirmation step, destination verification, or file-type/size constraints. In an agent skill context, this increases the risk of unintended exfiltration of sensitive local data if a user or higher-level agent supplies a path carelessly or maliciously.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal