ClawHub

Campaign Cleaner

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Campaign Cleaner integration, but it gives an agent broad authenticated power to delete or change campaign data without enough built-in safety instructions.

Review before installing. Use it only with the intended Campaign Cleaner account, verify the Membrane CLI package before global installation, and require explicit confirmation before deletes, updates, or any direct proxy request. Prefer listed Membrane actions over raw proxy calls and avoid sending sensitive campaign or account data unless necessary for the user-requested task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents a delete capability without instructing the agent to obtain explicit user confirmation before destructive actions. In an agent setting, this increases the risk of accidental or over-broad deletion of campaign data if the model interprets a vague user request as authorization to remove records.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The proxy request section enables arbitrary API requests, including state-changing methods like POST, PATCH, and DELETE, but provides no warning about sensitive data transmission, endpoint validation, or confirmation for destructive operations. In practice, this broadens the agent's ability to perform unsafe or unintended actions beyond the curated action set, increasing the chance of data loss or misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal