ClawHub

Mediatoolkit

Security checks across malware telemetry and agentic risk

Overview

This Mediatoolkit skill is a real integration, but it gives an agent broad authenticated API control, including write and delete requests, without clear confirmation guardrails.

Install only if you trust Membrane, its npm CLI, and its proxy service with your Mediatoolkit account. Prefer prebuilt Membrane actions, use a least-privilege Mediatoolkit account where possible, require confirmation before any write/delete or user-management request, and revoke the connection when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly documents a generic proxy mechanism that can issue arbitrary requests to the Mediatoolkit API, including state-changing methods such as POST, PUT, PATCH, and DELETE, without instructing the agent to obtain explicit user confirmation before transmitting data or making changes. In an agent setting, this increases the risk of unintended data disclosure, destructive operations, or overbroad API use if the model decides to use the proxy path autonomously.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal