ClawHub

Project Broadcast

Security checks across malware telemetry and agentic risk

Overview

This Project Broadcast integration is mostly coherent, but it gives an agent broad authenticated API and proxy authority without clear guardrails for destructive or out-of-scope requests.

Install only if you trust Membrane and are comfortable letting the agent use your authenticated Project Broadcast connection. Prefer prebuilt Membrane actions, require explicit approval before creating, updating, sending, or deleting anything, and avoid full-URL proxy requests unless you have verified the destination and need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly allows passing a full URL to the Membrane proxy, which can route authenticated or agent-initiated requests to arbitrary destinations rather than only Project Broadcast. This expands the skill from a scoped SaaS integration into a general network-capable request primitive, increasing the risk of SSRF-like abuse, data exfiltration, or use against unintended external services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages direct API requests with GET, POST, PUT, PATCH, and DELETE through the proxy without any warning about destructive effects or the need for user confirmation. In an agent setting, this can normalize unsafe mutations and increase the chance of unintended creation, modification, or deletion of Project Broadcast resources.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal