ClawHub

Bouncer

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but its own description conflicts about what Bouncer is and it gives an agent broad authenticated control over a Bouncer/Membrane account.

Install only if you specifically intend to use Membrane with a Bouncer email verification account. Confirm the service being authorized before login, treat proxy and delete or finish actions as high-impact, and require explicit approval before any operation that deletes data, ends a batch, consumes credits, or sends email lists to the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata claims broad CRM capabilities (organizations, leads, projects, pipelines, users, goals), but the body documents an unrelated Bouncer integration for email verification and toxicity checks. This mismatch can cause an agent to invoke the skill in the wrong context and operate on a different external service than the user intended, creating a serious risk of unauthorized or unintended data access and actions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file describes Bouncer as an Android privacy-permissions app, while the remainder of the skill documents an email verification API. Contradictory identity and purpose information is dangerous because it can mislead the agent and user about what system is being connected, what data is being processed, and what actions will be performed, increasing the chance of mis-scoped authentication and unintended external operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation trigger is overly broad: 'Use when the user wants to interact with Bouncer data.' Combined with the contradictory description of what Bouncer is, this can cause the skill to be selected for ambiguous requests and increase the likelihood of the agent taking actions against the wrong service or dataset. The context makes this more dangerous because the skill supports external authenticated actions, not just local read-only help text.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises destructive operations such as deleting jobs and batches and finishing batches early, but provides no warning, confirmation, or safety guidance. In an agentic setting, that omission can lead to irreversible actions being performed automatically or with insufficient user awareness, especially when action discovery and execution are encouraged via CLI commands.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal