ClawHub

Gcp Fullstack

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for real GCP app development, but it asks for broad cloud, DNS, repository, filesystem, network, and credential authority with incomplete scoping and warnings.

Install only if you intend to let an agent help manage a GCP project, Cloudflare zone, and repository workflow. Use a staging project first, create least-privilege GCP/Firebase/Cloudflare credentials, avoid production data in QA prompts sent to OpenRouter, and require explicit human approval before deploys, DNS/security changes, IAM changes, public exposure, database changes, or CI/CD triggers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill's migration guide says QA-gate behavior was extracted to a separate skill, but the same file later embeds a full pre-production QA gate workflow. This inconsistency can cause operators or orchestration systems to load and trust a narrower skill boundary than actually exists, increasing the chance that a broadly privileged user-invocable skill performs more actions than expected.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The credential-scope section claims the skill never makes direct API calls with credentials, yet the documented implementation later performs a direct HTTPS request to OpenRouter with an Authorization bearer token. This is dangerous because reviewers and users may rely on the false claim when deciding whether the skill can safely handle secrets, while the actual behavior transmits sensitive material to a third-party service.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description is extremely broad, covering nearly the entire web application lifecycle on GCP, which makes the skill likely to match many common user requests. In an agentic environment, overly broad user-invocable matching can trigger this high-impact skill unexpectedly, leading to unintended file changes, cloud operations, deployment steps, or credential-adjacent workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises end-to-end lifecycle control including scaffolding, deployment, infrastructure, and DNS/security orchestration, but does not present a clear user-facing warning that these actions can modify local code, cloud resources, or production configuration. In a user-invocable skill, that omission increases the chance of accidental destructive or high-cost actions under routine prompts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description is extremely broad and positions the skill as a 'super agent' covering scaffolding, infrastructure, auth, testing, deployment, CDN/security, and monitoring. In a system that may auto-select or suggest skills from metadata, this weak scoping can cause the skill to be invoked for tasks beyond user intent, which is more dangerous here because the skill also requests network and filesystem access and relies on many sensitive cloud credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest requests both filesystem and network permissions while declaring numerous sensitive environment variables, including GCP service-account material, Firebase credentials, Cloudflare tokens, and an API key. Without any warning, justification, or narrowing in the manifest, users may unknowingly expose high-value secrets to a skill that can read local data and make outbound requests, creating substantial risk of credential misuse or exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Cloud Run deployment example explicitly uses `--allow-unauthenticated`, which makes the service publicly reachable, but the document does not warn that this exposes the application to the internet. In a 'fullstack' deployment skill, readers may copy-paste this into apps with admin routes, preview builds, or APIs that were intended to be private, increasing the chance of accidental exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The HTTP Cloud Function example deploys with `--allow-unauthenticated`, exposing the function publicly without warning about the security implications. Because this skill is positioned as an end-to-end deployment guide, users may treat the example as a safe default and unintentionally publish internal APIs, webhook handlers, or sensitive backend functionality.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The instruction to 'implement the complete vertical slice autonomously' when a user merely describes a feature creates an overly broad trigger for consequential code generation and modification. In a powerful full-stack GCP skill, vague or manipulated prompts could cause the agent to introduce schema changes, auth changes, APIs, and deployable functionality without sufficient scoping, approval gates, or risk review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to call Cloudflare's `purge_cache` API with `{"purge_everything": true}` after every production deployment, but it does not warn that this invalidates the entire zone cache and can create avoidable origin load spikes, latency regressions, and temporary availability issues. In an automation-oriented skill, operators may copy this verbatim into CI/CD, making the blast radius larger than a one-off manual action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal