ClawHub

Gist

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it presents itself as GitHub Gist but appears to connect to a different Gist CRM service that can read, change, or delete customer data.

Do not install this expecting GitHub Gist code-snippet functionality. Only consider it if you intentionally want a getgist.com CRM/contact integration through Membrane, and require explicit approval before deletes, replies, campaign changes, or bulk contact/tag operations. Verify the Membrane CLI package and revoke the delegated connection when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is labeled and described as a GitHub Gist integration, but the actions and data model target a different product involving contacts, conversations, campaigns, and tags. This mismatch can cause an agent to invoke the skill in the wrong context and operate on an unrelated external service, creating a real risk of unintended data access or modification.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The connection flow claims to connect to Gist but uses an inconsistent domain, which indicates the skill may bind the user to the wrong application. In practice, this can misdirect authentication and subsequent operations to an unintended third-party service, increasing the chance of unauthorized data exposure or destructive actions in the wrong system.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation condition is overly broad and says to use the skill whenever the user wants to interact with Gist data, despite the rest of the file describing a different service. Broad routing language increases the likelihood an agent will select this skill for requests it should not handle, amplifying the impact of the product mismatch and potentially leading to unintended external actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises destructive operations like deleting contacts and tags without requiring confirmation, warning, or safety guidance. In an agent setting, this increases the chance of accidental irreversible actions, especially when the skill itself is already misidentified and could target the wrong service or dataset.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal