ClawHub

Erpnext

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate ERPNext integration, but it can give an agent broad access to sensitive business records with limited scoping or safety guidance.

Install only if you trust Membrane and intend to let an agent work with ERPNext through that account. Use a least-privileged ERPNext user, avoid production-wide permissions where possible, and require explicit confirmation before create, update, delete, import, bulk update, finance, HR, purchasing, or raw proxy API actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest advertises a narrow purpose ('Manage Companies'), but the body documents broad ERP administration, generic document operations, and arbitrary proxied API access. This mismatch can cause the skill to be invoked in situations far beyond the user's apparent intent, increasing the chance of over-privileged actions or unintended data access/modification.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation text is broad enough to match many generic ERPNext-related requests, without boundaries on read-only vs write actions or sensitive modules. In an agent setting, ambiguous routing can trigger this skill for tasks involving finance, HR, user records, or admin surfaces that need tighter scoping.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly promotes create, update, and raw proxy request capabilities, but does not warn that these operations can alter or delete ERPNext business records or reach arbitrary authenticated endpoints. In enterprise systems, this can lead to unauthorized state changes, data corruption, or misuse of broad authenticated access if the agent acts on vague prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal