ClawHub

Addressfinder Australia

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate AddressFinder Australia integration, but it gives an agent broad authenticated API access through Membrane without enough guardrails for sensitive address data or mutating requests.

Install only if you trust Membrane and AddressFinder Australia with the address data involved. Prefer discovered Membrane actions over raw proxy calls, review the requested connection scopes, and require explicit user approval before any non-GET, account-changing, or deletion request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description is broad enough to invoke the skill for generic 'manage data, records, and automate workflows' requests, which can cause the agent to select this external-networked skill in situations where the user did not clearly intend AddressFinder Australia access. In context, this increases the chance of unnecessary third-party data disclosure or unintended account actions because the skill is capable of live API interaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The proxy-request section encourages direct outbound API calls through Membrane without warning that request paths, query parameters, headers, and bodies may contain user-supplied sensitive data that will be transmitted to an external service. In this skill's context, that omission is meaningful because the skill is specifically designed for network access to a third-party SaaS, making silent exfiltration of address or related personal data more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal