ClawHub

Godial

Security checks across malware telemetry and agentic risk

Overview

This GoDial skill is not deceptive, but it gives an agent broad authenticated control over CRM and account administration, including deletion, without clear confirmation safeguards.

Install only if you trust Membrane and need agent-driven GoDial administration. Use a least-privileged GoDial account, review every selected action before execution, and require explicit confirmation for deletes, account changes, member changes, billing/account operations, and any raw API proxy request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The top-level description frames the skill as generally interacting with GoDial data, but the documented actions include destructive operations such as account removal. This mismatch can cause an agent or user to invoke the skill without appreciating that it can perform irreversible administrative changes, increasing the risk of unsafe use.

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The top-level description frames the skill as generally interacting with GoDial data, but the documented actions include destructive operations such as account removal. This mismatch can cause an agent or user to invoke the skill without appreciating that it can perform irreversible administrative changes, increasing the risk of unsafe use.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation description is very broad, so an agent may select this skill for generic requests about GoDial and gain access to actions well beyond simple data retrieval. In context, this is more dangerous because the same skill exposes administrative and destructive operations, making overbroad routing a pathway to unintended side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises a destructive 'Remove Account' capability without any warning, safeguard, or confirmation guidance. In an agentic setting, absence of explicit friction around irreversible actions materially increases the chance of accidental or unauthorized deletion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal