ClawHub

Beeper Desktop API

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent with its Beeper messaging purpose, but it grants broad authenticated access to private chats and outbound messaging without enough technical guardrails.

Review carefully before installing. This skill should only be used on a trusted machine with a Beeper account you control, and agents should be allowed to run it only when you are comfortable granting access to private chat history and message sending across connected networks. Avoid BEEPER_SSH_HOST unless you fully trust the remote host, and require manual approval for every send or broad history export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes shell-based operational capability but does not declare permissions, which creates a governance and transparency gap. Because the documented workflow includes executing curl, jq, and ssh commands against a local messaging API containing private cross-platform chats, an agent could be granted broader access than reviewers or operators expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script allows requests to be proxied through an arbitrary SSH host via BEEPER_SSH_HOST, which expands the trust boundary from a local desktop API to any remote system the caller can reach. This can expose the Beeper API key and message contents to a remote host and contradicts the skill description’s expectation of local, operator-approved desktop access.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The raw command exposes arbitrary Beeper API paths and methods, bypassing the narrower manifest framing of approved messaging, lookup, and search operations. This turns the skill into a general authenticated API client, which may enable actions or data access beyond what an operator would reasonably expect from the advertised capability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script sends arbitrary message content to the Beeper Desktop API without any explicit user-facing warning or confirmation at the point of transmission. In an agent skill context, that increases the risk of accidental exfiltration, misdirected outbound messaging, or privacy violations because the tool can message across multiple connected networks and the operator may not realize content is leaving the local environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal