ClawHub

Donedone

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate DoneDone integration, but it gives an agent broad authenticated power to change or permanently delete DoneDone data without enough scoping or safety guidance.

Install only if you are comfortable letting the agent operate through your DoneDone account. Use the narrowest DoneDone/Membrane permissions available, and require explicit approval before any create, update, delete, or raw proxy request, especially requests using POST, PUT, PATCH, or DELETE.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill documentation explicitly permits arbitrary authenticated proxy requests to the DoneDone API, which materially expands capability beyond the manifest's generic description of interacting with DoneDone data. This is dangerous because it enables operations outside curated actions, including potentially destructive or privacy-impacting requests, without clear scope restriction or safety guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises permanent delete actions for tasks and conversations without any warning, confirmation requirement, or mention of irreversible impact. In an agent context, omission of destructive-operation safeguards increases the risk of accidental or unauthorized data loss if the skill is invoked loosely or misused.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The direct API proxy feature allows arbitrary authenticated requests but provides no warning about data exposure, account-wide effects, or integrity risks. In context, this is more dangerous than ordinary action execution because it bypasses the safer affordances of predefined actions and can be used for broad read/write/delete access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal