ClawHub

Countdown Api

Security checks across malware telemetry and agentic risk

Overview

This Countdown API skill is mostly a normal Membrane integration, but it contains unrelated eBay action instructions and broad authenticated proxy guidance that should be reviewed before use.

Install only if you intend to use Membrane with Countdown API. Ignore the unrelated eBay action list, discover the real Countdown actions after connecting, and require explicit approval before any POST, PUT, PATCH, DELETE, or proxy request that sends sensitive data or changes remote resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill claims to integrate with Countdown API, but its 'Popular actions' section lists eBay-related operations. This mismatch can mislead an agent into invoking irrelevant or unintended actions against the wrong service or dataset, increasing the risk of inappropriate external requests and data handling errors. In a network-enabled skill, inaccurate action documentation is security-relevant because it can cause cross-service confusion and unintended data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly documents raw proxy requests to an external API without warning that this transmits user-supplied data off-platform. That omission can lead an agent to send sensitive content directly to a third-party service without clear user awareness, especially when falling back from prebuilt actions to arbitrary endpoints.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal