ClawHub

Redmine Issue

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Redmine issue tool, but it can make live authenticated ticket updates despite read-oriented framing and no clear confirmation safeguard.

Install only if you intend to let the agent modify Redmine tickets. Use a least-privilege Redmine API key, restrict it to the relevant project where possible, and require explicit user approval before invoking update operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata and opening description present the capability as read-only, but the documented commands include `update` operations that can modify Redmine issues. This mismatch can mislead users, reviewers, or automated policy systems into granting or invoking the skill under a lower-risk assumption, enabling unauthorized or unintended changes to production issue data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation repeatedly states that the skill reads issues, then later exposes commands that update issue fields such as status, assignee, priority, and notes. In context, this inconsistency increases operational risk because an agent or user may treat the skill as non-destructive while it actually supports state-changing actions against arbitrary Redmine servers configured by environment variables.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata and usage framing imply a read-oriented Redmine issue reader, but the code explicitly supports an `update` command that performs authenticated PUT requests to modify remote issues. This capability mismatch is dangerous because agents or users may invoke the skill under the assumption that it is non-destructive, leading to unauthorized or unintended changes in external systems.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code path constructs arbitrary issue updates from CLI arguments and sends them to the configured Redmine server using the provided credentials, despite the skill being described as a reader. In an agent setting, hidden write capability materially increases the risk of integrity-impacting actions such as altering assignments, status, notes, or descriptions without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script executes a live remote update immediately and then fetches the modified issue, with no interactive confirmation, warning banner, or safeguard before changing a production Redmine ticket. In an automated agent workflow, this increases the chance of accidental or prompt-induced state changes to external systems, especially because the skill accepts configurable server URLs and credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal