ClawHub

Recharge

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate ReCharge integration, but it gives an agent broad authenticated access to sensitive subscription and billing data without clear approval boundaries for writes or deletes.

Install only if you trust Membrane and intend to let an agent operate on your ReCharge account. Use least-privilege or test-store access where possible, review every endpoint and request body before raw proxy calls, and require explicit approval before creating, updating, deleting, charging, canceling, or refunding anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest and top-level description frame the skill as managing ReCharge customer data, but the body documents access to broader ReCharge objects and workflows such as charges, addresses, shop, analytics, and general connection setup. This scope mismatch can cause an orchestrating agent or user to invoke the skill with narrower expectations than the actual capability set, increasing the chance of over-broad actions being taken.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description suggests customer/data interaction, but this section explicitly enables arbitrary proxied API requests, including POST, PUT, PATCH, and DELETE. That gives the agent a generic authenticated conduit to the full ReCharge API, which can bypass intended limitations and lead to unauthorized modification or deletion of billing, subscription, or customer data.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation text is broad enough that an agent may select this skill for many loosely related requests about ReCharge data without sufficient user intent verification. In a system with autonomous tool selection, ambiguous activation criteria can trigger access to sensitive commerce and subscription data when a narrower or read-only tool would have been more appropriate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal