ClawHub

Zapier

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent Zapier documentation, but it grants broad automation power with too little guidance around live changes, outbound messages, and sensitive data flows.

Install only if you want an agent to help operate Zapier workflows using your Zapier credentials. Before use, require explicit confirmation for actions that enable/disable Zaps, delete hooks or records, send messages, publish interfaces, run AI actions, or send data to webhooks. Use least-privilege tokens, avoid raw payload logging, and do not put personal data or secrets in URLs, emails, Slack messages, or broad public interfaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (23)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The webhook examples demonstrate sending user identifiers and contact data to arbitrary external URLs without any warning about data disclosure, destination trust, or consent requirements. In an automation skill, this can normalize exfiltration of personal data to third parties and lead users to deploy unsafe flows that leak sensitive information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The communication examples send outbound email, Slack, direct messages, and SMS based on trigger data but provide no warning that these actions contact real recipients and may cause spam, privacy issues, or unintended disclosures. Because these actions are operationally live, users could copy them into production and immediately send messages to customers or staff without review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes state-changing examples to enable or disable Zaps without any warning that these requests immediately modify production automation behavior. In an agent/LLM skill context, users or downstream systems may copy or invoke these examples automatically, causing unintended service disruption, workflow activation, or side effects in connected third-party systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The natural-language and AI action execution examples accept free-form instructions that can trigger broad external actions across connected apps, yet the documentation provides no warning about data movement, message sending, record creation, or other real-world side effects. In an LLM integration context, this is especially risky because ambiguous or prompt-injected instructions may be interpreted as authorization to perform impactful actions on behalf of the user.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The hook deletion example shows irreversible removal of an active webhook subscription without warning about loss of event delivery or operational monitoring gaps. In automation environments, accidental deletion can silently break downstream processing and incident visibility.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples demonstrate workflows that move names, emails, company details, and CRM/form data into spreadsheets and email without any guidance on minimization, access control, retention, or user notice. In an automation skill, these patterns can normalize unsafe handling of personal data and lead users to build integrations that violate internal privacy requirements or regulations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Slack examples send error content, lead details, and operational context into channels without warning that chat systems may expose information broadly to channel members, retained history, bots, or external integrations. This is especially risky because alerts often include sensitive business context or user data, and the skill presents the pattern as a default operational workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The email-marketing and SMS examples encourage contacting users based on workflow events without noting consent, opt-in, unsubscribe, or jurisdiction-specific compliance requirements. In practice, this can lead to unauthorized outreach, privacy complaints, regulatory exposure, and disclosure of order or account information over channels that may be shared or insecure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The chatbot action phrases are broad enough that ordinary user language like 'help' or 'problem with' could unintentionally trigger backend automations. In this skill context, chatbot actions can create records and notify teams, so loose matching raises the risk of false ticket creation, workflow abuse, and operational noise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Putting PII such as name and email in URL query parameters exposes that data through browser history, logs, analytics tools, referrer headers, and shared links. In a forms product, this is especially risky because the documentation normalizes an unsafe pattern without warning users about downstream exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Exposing uploaded file URLs directly to downstream automations can leak access paths to sensitive documents if those URLs are logged, forwarded, or insufficiently access-controlled. In this context, uploads may include resumes and documents, so the data sensitivity is materially higher than for generic file references.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Passing chatbot context such as customer identifiers and names in URL parameters creates the same privacy and leakage risks as form prefill, with the added concern that chatbot links may be shared broadly or embedded. Because this context may influence AI behavior and downstream actions, exposed identifiers can also enable unintended personalization or data disclosure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Presenting 'Anyone with link' public access without warning can lead users to expose interface content and collected submissions unintentionally. In a platform for forms, pages, and chatbots that may handle customer data, this materially increases the chance of accidental data disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The webhook chain pattern forwards data across multiple webhook stages and enrichment APIs without any mention of authentication, integrity checks, replay protection, or data minimization. In a Zapier context, chained webhooks materially increase the attack surface and the likelihood of data leakage, tampering, or unauthorized injection if endpoints are exposed or misconfigured.

Missing User Warnings

High
Confidence
94% confidence
Finding
This multi-tenant pattern sends data to customer-controlled Slack workspaces, email destinations, or webhook endpoints based on settings, but provides no safeguards around tenant isolation, destination verification, authorization, or outbound data filtering. In a multi-tenant automation skill, that omission is dangerous because a mapping error or malicious endpoint could cause cross-tenant data disclosure or exfiltration at scale.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The setup instructs the agent to ask for broad, proactive activation whenever the user mentions automation or app connections, which can cause the skill to trigger outside a clearly scoped user request. In a Zapier skill, this increases the chance of unintended invocation in ordinary conversation and may lead the agent to steer interactions toward integrations, memory collection, or automation suggestions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The logging example recommends storing full trigger payloads and full webhook responses, which can capture personal data, tokens, secrets, or other sensitive content. Centralized logs and spreadsheets are often broadly accessible and retained longer than operationally necessary, increasing disclosure risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Forwarding the raw webhook body to email can leak sensitive user-supplied content into inboxes, mail servers, and downstream archiving systems. Email is typically less controlled than application logs and can easily broaden access to data far beyond the intended recipients.

Ssd 3

Medium
Confidence
98% confidence
Finding
The operational guidance explicitly tells users to retain entire webhook payloads and responses, creating a natural and repeatable data exposure path. Because webhook content is often user-controlled and may include credentials or personal data, this materially increases the chance of secondary leakage.

Ssd 3

Medium
Confidence
98% confidence
Finding
This pattern creates direct disclosure of raw inbound data through a plain-language workflow step, which may expose personal data, internal identifiers, or attacker-supplied content to email recipients. The risk is elevated because email forwarding is easy to enable and hard to govern once messages are sent.

External Transmission

Medium
Category
Data Exfiltration
Content
### POST JSON
```
Action: Webhooks by Zapier → POST
URL: https://api.yourapp.com/webhook
Payload Type: JSON
Data:
  name: {{trigger.name}}
Confidence
88% confidence
Finding
https://api.yourapp.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### POST with Headers
```
Action: Webhooks by Zapier → POST
URL: https://api.yourapp.com/webhook
Headers:
  Authorization: Bearer your_api_key
  Content-Type: application/json
Confidence
91% confidence
Finding
https://api.yourapp.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```
Action: Webhooks by Zapier → Custom Request
Method: PATCH
URL: https://api.yourapp.com/users/{{trigger.user_id}}
Headers:
  Authorization: Bearer your_api_key
Data:
Confidence
89% confidence
Finding
https://api.yourapp.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal