ClawHub

Webhook Notify

Security checks across malware telemetry and agentic risk

Overview

Review before installing: the skill is mostly a disclosed webhook notifier, but it ships under-scoped generic HTTP helpers and gives weak guidance around webhook secrets.

Install only if you are comfortable with a PowerShell skill that can send outbound messages to user-supplied URLs. Treat webhook URLs as secrets, avoid putting sensitive operational or customer data in alerts, and do not use the custom HTTP helpers unless you explicitly need arbitrary API requests and can control the destination and method.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a webhook notifier for specific chat platforms, but it also exposes a generic HTTP client that can send arbitrary requests to arbitrary URLs with caller-controlled headers, body, and method. In an agent/plugin context, this expands the capability from notification delivery to unrestricted outbound network access, which can be abused for SSRF, unauthorized data exfiltration, or interacting with non-webhook internal/external services.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing GET, POST, PUT, DELETE, and PATCH in a tool marketed for webhook notifications grants broader remote interaction than necessary for the stated use case. In an agent setting, these extra methods can be used to modify or delete resources on arbitrary endpoints, increasing the risk of SSRF, unintended side effects, and misuse beyond simple notification posting.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is presented as a webhook notification utility for a fixed set of chat platforms, but it also exposes Send-WebhookCustom, which can send arbitrary HTTP requests to any URL with attacker-controlled headers and body. In an agent context, this materially expands the tool from scoped notifications into a general outbound network primitive, enabling SSRF, unauthorized API interaction, data exfiltration, and policy bypass if an attacker can influence inputs.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Allowing GET, PUT, DELETE, and PATCH is excessive for a notification skill and turns it into a general-purpose API client capable of state-changing operations against arbitrary services. In a tool-enabled agent environment, this increases the blast radius from posting messages to modifying or deleting remote resources, probing internal services, or abusing authenticated endpoints when combined with supplied headers.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples encourage sending monitoring and alert data to third-party webhook endpoints, including @all notifications, without warning that messages may contain sensitive operational data such as host health, resource exhaustion, or incident details. In real deployments, this can lead to unintended disclosure of internal system state to external SaaS platforms or broad audiences if webhook URLs are mis-scoped, leaked, or routed to less trusted channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation repeatedly shows direct use of live webhook URLs, storage in persistent user environment variables, and broad notification patterns without any warning that webhook URLs are secrets. Because webhook endpoints often act as bearer tokens, exposing them in scripts, logs, screenshots, shell history, or persisted environment variables can let unauthorized parties send messages, spam channels, or abuse trusted alerting paths.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger string is very broad and includes many generic notification-related keywords, increasing the chance the skill is invoked in situations the user did not explicitly intend. Because this skill can send outbound webhook messages to multiple external platforms, unintended activation could cause accidental data egress, notification spam, or disclosure of sensitive content to configured endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The custom webhook helper can transmit arbitrary bodies and headers to any URL without any built-in warning, consent boundary, or destination restriction. In a skill environment, this creates a covert outbound channel for sensitive prompt, credential, or user data exfiltration, especially because the function looks like a benign notification utility while behaving as a general-purpose HTTP client.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The test helper prints the full webhook URL to the console, which can expose bearer-style secrets embedded in the URL to terminal history, CI logs, screenshots, shared sessions, or centralized log collectors. Since webhook URLs for Slack, Discord, DingTalk, and similar platforms commonly function as authentication tokens, disclosure can let an attacker send unauthorized messages or abuse the integration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal