ClawHub

Blackbaud

Security checks across malware telemetry and agentic risk

Overview

This is a real Blackbaud integration, but it can change sensitive nonprofit and fundraising records without clear built-in approval guidance.

Install only if you trust Membrane and intend to let an agent work with live Blackbaud data. Use a least-privileged or sandbox Blackbaud account where possible, prefer list/get actions by default, and require explicit approval before creating or updating records, using raw proxy requests, handling gifts or revenue, importing or exporting data, changing settings/security, making purchases, or issuing DELETE-capable API calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports creating and updating Blackbaud records and also allows arbitrary proxied API requests, but the description does not clearly warn users that it can modify remote nonprofit/CRM data. This can lead to users invoking the skill without realizing it has write capabilities, increasing the risk of unintended data changes or destructive operations in a production Blackbaud environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal