ClawHub

Google Directory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google Directory admin skill, but it grants broad ongoing admin authority and includes an under-scoped raw proxy path that users should review carefully.

Install only if you intend to let an agent administer Google Workspace Directory through Membrane. Use a least-privileged admin account, run it only on a trusted machine, confirm any create/update/delete or role and membership changes before execution, avoid full-URL proxy requests unless you have reviewed the destination and method, and remove or revoke Membrane credentials when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly states that a full URL can be passed to the proxy and Membrane will use it as-is, which expands the tool from a Google Directory integration into a generic authenticated HTTP relay. That is dangerous because it can enable unintended access to arbitrary endpoints, SSRF-like behavior, or misuse of the agent’s network/auth context well beyond the stated Google Directory scope.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The description says to use the skill whenever the user wants to interact with Google Directory data, which is broad enough to trigger in many ordinary admin scenarios without narrowing scope to safe read-only versus sensitive write operations. In an agent setting, over-broad invocation criteria can cause the wrong skill to be selected and then used for high-impact directory changes such as modifying users, groups, or roles.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation tells users that credentials are stored in ~/.membrane/credentials.json but does not warn that this is sensitive local data that must be protected. In shared workstations, CI runners, or multi-user environments, this omission can lead to credential exposure and unauthorized reuse of the Google Directory connection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The proxy guidance documents POST, PUT, PATCH, DELETE and arbitrary full-URL usage without any warning about destructive operations, scope expansion, or the need for confirmation before making changes. In a Google Directory context, this is especially risky because the same mechanism could be used to alter users, groups, roles, or call unrelated endpoints, amplifying accidental or unauthorized admin actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal