ClawHub

Bilflo

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Bilflo/Membrane integration, but it gives agents broad live business-data write and raw API authority without clear approval guardrails.

Install only if you trust Membrane with Bilflo access. Prefer least-privileged or test accounts, and require the agent to show the exact action, endpoint, HTTP method, and payload before approving any create, update, delete, payment, invoicing, contractor, client, or job change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to integrate with Bilflo FP&A entities, but the documented actions operate on staffing and recruiting objects such as clients, contractors, and jobs. This mismatch can mislead an agent into invoking unintended capabilities against the wrong backend, causing unauthorized or destructive actions on unrelated business data.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The overview describes Bilflo accounting/FP&A objects like invoices, bills, payments, and tax rates, but the action set later exposes a contradictory staffing workflow. In a tool-selection context, this inconsistency increases the risk that an agent will trust false affordances and send sensitive operations or data to an unintended integration.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description is very broad and suggests the skill should be used whenever a user wants to interact with Bilflo data, without narrowing allowed operations or risk boundaries. Overbroad routing can cause the agent to select this skill for sensitive requests and execute networked actions with insufficient confirmation or scoping.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises record creation and updates against a remote business system but does not warn that it can modify live external data. In agent environments, missing mutation warnings increase the chance of accidental writes, data corruption, or unauthorized business changes based on ambiguous user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The proxy feature allows arbitrary direct API requests through an authenticated connection, but the documentation does not warn users that data may be transmitted to an external service or that this path bypasses safer prebuilt actions. This increases the risk of oversharing sensitive data, invoking dangerous endpoints, or performing unreviewed mutations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal