ClawHub

Retently

Security checks across malware telemetry and agentic risk

Overview

This Retently skill is not clearly malicious, but it needs review because it grants broad authenticated Retently access with unclear scope and weak safeguards for write or delete actions.

Install only if you trust Membrane and want an agent to access your Retently account. Use the least-privileged Retently connection available, prefer discovered Membrane actions over raw proxy calls, and require the agent to show the endpoint, method, and payload before any POST, PUT, PATCH, or DELETE request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest claims the skill manages CRM-style entities like Persons, Organizations, Deals, Leads, Projects, and Activities, but the body of the skill describes a Retently integration focused on surveys, responses, contacts, and accounts. This mismatch can cause an agent to invoke the skill for the wrong user intent and potentially issue unintended reads or writes against an external service under false assumptions about the underlying data model.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The top-level description directly contradicts the detailed documentation, creating ambiguity about what system and objects the skill actually controls. In an agentic environment, contradictory capability descriptions are dangerous because tool selection and parameterization may rely on manifest text, leading to confused-deputy behavior or unintended data modification in the connected account.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad enough that the skill may be selected for generic 'Retently' requests without clarifying whether the task is read-only, administrative, or data-changing. Over-broad routing increases the chance that an agent will use this skill in situations where user confirmation, narrower scoping, or a different tool would be more appropriate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents a generic proxy mechanism that supports arbitrary Retently API requests, including POST, PUT, PATCH, and DELETE, without emphasizing that these methods can change or destroy remote data. In an LLM-driven workflow, providing mutation-capable request primitives without safety guidance materially raises the risk of accidental destructive actions or misuse beyond intended pre-built actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal