ClawHub

Plutio

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate Plutio task-management skill, but it needs Review because it handles live API secrets and task-changing workflows with weak safeguards.

Install only if you are comfortable giving it Plutio API access that can read workspace data and change tasks. Avoid pasting secrets into chat or command history, prefer dedicated low-privilege credentials, review bulk-update examples before use, remove or edit the Matrix notification example, and clear the local token cache or scheduled scripts when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes and encourages use of shell execution, network access to the Plutio API, and local token caching, but no explicit permissions declaration is provided. This creates a transparency and governance gap: users and hosting systems cannot accurately evaluate or constrain the skill's capabilities before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially differs from the actual behavior: it claims project management, task closing, and full-field task creation/update support, while later admitting several of those operations are unsupported and that tokens are cached locally. Such mismatches can mislead users into supplying secrets or invoking actions under false assumptions, weakening informed consent and safe operation.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file contains internally contradictory security-relevant documentation: it advertises full-field task creation and updates, then later states the API does not support those operations and users must use the UI instead. Contradictory guidance can cause operators to rely on nonexistent safeguards or workflows, increasing the chance of credential exposure, failed automations, or unintended task modifications.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The later 'Supported Operations' and 'Known Limitations' sections directly contradict earlier examples showing update-task and rich task creation. In a skill that handles external API actions and credentials, this inconsistency is dangerous because users may execute commands believing they are supported and safe when they are not.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference documents a DELETE /tasks/{taskId} capability even though the skill metadata says it supports creating, updating, closing, or querying tasks and projects, not deletion. This creates a scope mismatch that could enable destructive actions beyond what users or reviewers would reasonably expect from the skill.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The reference includes People endpoints that are not described in the skill manifest, expanding the apparent capability surface to workspace user enumeration and retrieval. Even if read-only, undocumented access to people records can expose personal data like names, emails, roles, and account status.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill exposes a people-listing capability that is broader than the stated project/task management scope. In an agent context, this increases accessible data to workspace-wide personally identifiable information such as names and emails, creating unnecessary privilege and data exposure beyond user expectations.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The CLI help and documentation describe project/task management while also providing workspace people enumeration. This mismatch can mislead reviewers and users about the actual data access surface, making overscoped behavior easier to approve and deploy unnoticed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup guide tells users to paste Plutio client credentials directly into chat, which can expose secrets to logs, conversation history, integrations, or other operators of the chat system. Because these credentials can be exchanged for access tokens to a live SaaS workspace, disclosure could enable unauthorized access to projects, tasks, and workspace metadata.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The quick-start commands place app keys and secrets directly on the command line, where they may be captured in shell history, process listings, CI logs, or telemetry. Since these are live API credentials, exposure can allow an attacker or another local user to authenticate to the Plutio workspace and read or modify data within the granted scope.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation presents task deletion as a normal operation without any warning, confirmation guidance, or caution about irreversibility. In an agent skill context, omission of guardrails around destructive actions increases the risk of accidental or overly broad deletion initiated by prompts or misunderstood user requests.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This example performs bulk closure of tasks in a loop without any confirmation, dry-run mode, or warning that many records may be modified at once. In operational use, a copied command or automation mistake could silently close large sets of tasks, causing workflow disruption, loss of visibility, and potentially incorrect business state.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The bulk custom-field update workflow applies mass changes across all returned tasks without warning, preview, or rollback guidance. If used incorrectly, it can overwrite metadata at scale and create hard-to-reverse integrity issues in project tracking data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation provides a bulk-close workflow that iterates over matching tasks and closes them immediately, with no confirmation prompt, dry-run mode, or warning about destructive consequences. In an agent or copy-paste automation context, this increases the chance of accidental mass state changes that can disrupt project tracking and cause operational data integrity issues.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase "Configure Plutio skill with my credentials" is broad enough that a normal user message could unintentionally trigger credential-handling behavior. In a chat-driven agent environment, ambiguous setup triggers can cause the assistant to solicit or process secrets in contexts the user did not clearly intend, increasing the risk of accidental disclosure or unsafe storage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide explicitly instructs users to send client ID and client secret through chat, but does not clearly warn that chat systems may retain transcripts, expose content to operators, or log messages for debugging. Because these are long-lived API credentials, disclosure through chat can directly enable unauthorized access to the user's Plutio workspace.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples pass the app key and secret as command-line arguments, which commonly exposes them via shell history, process listings, audit logs, and terminal scrollback. This is especially risky on shared or monitored systems, where other local users or logging tools may recover the credentials.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The alias examples continue the unsafe pattern of supplying secrets as command-line arguments, normalizing an insecure workflow for repeated use. Repetition increases the chance the credentials will be captured in shell history, copied into documentation, or exposed through process monitoring.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting the app key and secret directly on the command line exposes credentials to shell history, process listings, audit logs, and orchestration telemetry. In shared or multi-user environments, other local users or monitoring systems may recover these secrets and obtain API access.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### Delete Task

```
DELETE /tasks/{taskId}
```

**Response** (204 No Content)
Confidence
94% confidence
Finding
DELETE /tasks/{taskId}

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal