Moonclerk

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad authenticated access to a MoonClerk payment account with misleading CRM-style routing text and weak safeguards for financial changes.

Install only if you intend to let an agent access MoonClerk through Membrane. Use a least-privileged or test account where possible, inspect discovered actions before running them, and require explicit approval before creating, updating, deleting, refunding, changing settings, or modifying webhooks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest advertises CRM-style capabilities such as managing persons, organizations, deals, leads, and projects, while the body of the skill is clearly about MoonClerk billing and payment resources. This mismatch can cause the agent to invoke the skill in the wrong context and potentially expose or modify payment-related data when the user intended unrelated CRM operations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description says to use the skill whenever the user wants to interact with MoonClerk data, which is overly broad and encourages invocation without task-level constraints or safety checks. In practice, that can route many sensitive payment, subscription, refund, and customer-data actions through the skill even when a narrower or read-only path would be more appropriate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal