ClawHub

Rev

Security checks across malware telemetry and agentic risk

Overview

This Rev skill is not clearly harmful, but it needs review because its stated scope is inconsistent and it can issue broad authenticated API requests through Membrane.

Install only if you trust Membrane and intend to let an agent access your Rev account. Prefer specific Membrane actions over raw proxy requests, and require explicit confirmation before creating, updating, deleting, billing, account-management, or other sensitive actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises a capability set unrelated to the documented integration, creating a semantic mismatch between what the orchestrator may select the skill for and what the skill actually does. This can cause the agent to invoke the skill in the wrong context, leading to unintended external actions, data access, or unsafe user guidance under false pretenses.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file contains internally contradictory claims about what resources the skill manages, which undermines reliable tool routing and user trust. In an agent environment, this ambiguity is dangerous because the system may choose the skill for requests involving organizations/users/goals while the implementation actually targets Rev transcription resources and generic API access.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation description is overly broad, so the skill may be selected for vague or generic requests involving 'Rev data' without clear constraints on allowed operations. Because the skill supports connection setup, action discovery, and proxy requests, overbroad routing increases the chance of unnecessary external access or actions beyond the user's specific intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal