ClawHub

Firebase Admin Sdk

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking Firebase Admin skill, but it gives broad administrative power without enough scoping or confirmation guidance.

Install only if you intentionally want an agent to operate Firebase Admin through Membrane. Connect the minimum necessary Firebase project or account, prefer test projects first, and require explicit approval before deletes, authentication changes, database or storage writes, messaging sends, rules changes, or remote configuration updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest frames the skill as general Firebase data interaction, but the body documents full Firebase Admin SDK access with privileged administrative operations. That mismatch can cause the skill to be invoked in contexts where users or orchestrators do not realize it can perform high-impact admin actions, increasing the chance of overbroad or unsafe use.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented proxy feature allows arbitrary authenticated requests through Membrane, which is materially broader than the stated purpose of managing Firebase data and workflows. This creates a capability gap where an agent can issue destructive or unreviewed requests against privileged endpoints without clear user expectation or manifest-level disclosure.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough to match many generic Firebase-related requests, even though the skill operates with administrative privileges. Over-triggering a privileged skill raises the risk that an agent selects it for tasks better handled by a lower-privilege tool, exposing sensitive data or enabling unintended state changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The overview emphasizes secure administrative access and powerful management features but does not warn that these operations can modify production data, authentication state, messaging, storage, or configuration. In a privileged admin context, omission of impact warnings makes accidental misuse more likely and reduces informed consent for high-risk operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy request section describes arbitrary request construction, including destructive HTTP methods, without any user warning, guardrails, or approval requirements. In the context of Firebase Admin access, this materially increases the chance of unauthorized modification, deletion, or broad data access through raw authenticated calls.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal