ClawHub

Php Point Of Sale

Security checks across malware telemetry and agentic risk

Overview

This PHP Point of Sale skill is mostly transparent, but it gives agents broad authenticated access to business data, including raw write and delete API requests, without strong guardrails.

Install only if you intend to give an agent Membrane-mediated access to a PHP Point of Sale account. Use the least-privileged POS account available, review the Membrane connection scopes, and require explicit confirmation before creating, updating, submitting, or deleting sales, payments, inventory, customer, employee, supplier, or expense records. Prefer curated Membrane actions over raw proxy requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata says it is for managing Organizations, but the body documents access to a very broad PHP Point of Sale surface area and also later enables arbitrary authenticated API requests. This mismatch can cause the agent-selection layer or human reviewers to underestimate the skill's privileges, increasing the chance of unintended high-scope actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The proxy request section explicitly allows arbitrary authenticated GET/POST/PUT/PATCH/DELETE requests to the upstream API through Membrane. That creates a broad escape hatch around curated actions and enables destructive or sensitive operations well beyond the narrow use implied by the skill description.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough that an orchestrator may route many generic retail-data tasks to this skill, even when the task is outside the least-privilege scope suggested by the name and summary. In combination with the skill's broad backend access, this increases the risk of overbroad use and unauthorized data operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown documents a direct authenticated request mechanism with write-capable HTTP methods but does not clearly warn that it can perform destructive changes or bypass safer pre-built actions. Users and agents may therefore treat it as routine functionality without appreciating the elevated risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal