ClawHub

Appointo

Security checks across malware telemetry and agentic risk

Overview

This Appointo integration appears legitimate, but it gives the agent a broad raw API path that could change or delete scheduling data without clear built-in guardrails.

Install only if you want an agent to operate on your Appointo data through Membrane. Prefer listed Membrane actions over raw proxy calls, use the least-privileged Appointo account available, and require explicit approval before any create, update, delete, cancellation, or other non-GET request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description, 'Use when the user wants to interact with Appointo data,' is very broad and can cause the agent to invoke this skill for a wide range of loosely related requests. In a capability that can manage records and automate workflows against an external service, over-broad routing increases the chance of unintended access or state-changing operations being selected without sufficient user intent verification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly documents raw proxy requests with state-changing methods like POST, PUT, PATCH, and DELETE, but does not warn that these operations may create, modify, or delete Appointo data. Because the skill also frames proxying as a fallback when actions do not cover a use case, an agent may issue destructive API calls without user awareness, increasing the risk of unintended business-impacting changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal