ClawHub

Bunnycdn

Security checks across malware telemetry and agentic risk

Overview

This BunnyCDN skill is legitimate in purpose, but it can change, delete, or purge live CDN, DNS, and storage resources without clear confirmation safeguards.

Install only if you intend to grant Membrane-mediated access to a BunnyCDN account. Use least-privilege access where possible, start with list/get actions, and require explicit confirmation before any update, delete, DNS, storage, proxy, or cache-purge operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises destructive operations such as deleting zones and purging caches without requiring an explicit confirmation step or warning that these actions are irreversible or service-impacting. In an agent setting, this increases the chance of unintended destructive changes from ambiguous, mistaken, or prompt-injected requests.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal