ClawHub

Mercury

Security checks across malware telemetry and agentic risk

Overview

This is a real-looking Mercury/Membrane integration, but it gives broad access to sensitive financial data and write-capable API operations that are not clearly scoped by its description.

Review before installing. Only connect a Mercury account with the minimum permissions needed, prefer listed read-only actions, require explicit confirmation before creating or updating customers, invoices, or recipients, avoid raw proxy requests unless you know the exact endpoint and method, and revoke the Membrane connection when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says it is for managing organizations/Mercury data, but the documented actions include broad financial operations such as listing transactions, recipients, invoices, and creating customers or invoices. This mismatch can cause an orchestrator or user to invoke the skill under a narrower trust assumption than its real capabilities, increasing the risk of unintended access to sensitive banking data or unintended financial changes.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation claims this is a Mercury integration but also references Mercury Postlight web-parser documentation, which is a different product/API domain than the banking/payment actions listed later. This internal contradiction can mislead users and agents about what system they are authenticating to and what data/actions are actually in scope, creating a serious risk of confused-deputy behavior and unsafe execution against the wrong external service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is overly broad: 'Use when the user wants to interact with Mercury data.' Because the skill appears to expose sensitive banking and payment operations, such generic routing language may cause it to trigger for loosely related requests without sufficiently clear user intent. In this context, broad invocation is more dangerous because the connected system contains high-value financial data and write-capable operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents raw proxy requests and write-capable API usage without warning that requests may transmit data to an external financial service or modify live records. In a banking/finance context, allowing generic direct requests significantly expands the action surface and can enable unreviewed data exfiltration, creation or modification of records, or invocation of unsupported endpoints.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal