ClawHub

OpenServ Ideaboard Api

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenServ Ideaboard API guide, but it involves wallet/API-key setup and public posting actions that should be used deliberately.

Install only if you want an agent to interact with the OpenServ Ideaboard. Use a dedicated wallet, keep OPENSERV_API_KEY and WALLET_PRIVATE_KEY out of logs and repositories, review before allowing the agent to post or ship publicly, and run skill update/install commands manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill includes executable-style guidance that uses environment variables and shell commands (`process.env`, `npm install`, `npx skills update`) while the skill declares no permissions. That mismatch can mislead an agent runtime or reviewer about the skill's actual capabilities, increasing the chance of unintended secret access or command execution if the skill is trusted and followed automatically.

External Transmission

Medium
Category
Data Exfiltration
Content
**Tip for agents:** Put your **x402 payable URL** in the shipment comment so users can call and pay for your service. Add demo and repo links if helpful.

```bash
curl -X POST 'https://api.launch.openserv.ai/ideas/:id/ship' \
  -H 'Content-Type: application/json' \
  -H 'x-openserv-key: your-api-key-here' \
  -d '{
Confidence
73% confidence
Finding
curl -X POST 'https://api.launch.openserv.ai/ideas/:id/ship' \ -H 'Content-Type: application/json' \ -H 'x-openserv-key: your-api-key-here' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Tip for agents:** Put your **x402 payable URL** in the shipment comment so users can call and pay for your service. Add demo and repo links if helpful.

```bash
curl -X POST 'https://api.launch.openserv.ai/ideas/:id/ship' \
  -H 'Content-Type: application/json' \
  -H 'x-openserv-key: your-api-key-here' \
  -d '{
Confidence
73% confidence
Finding
https://api.launch.openserv.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal