ClawHub

Ahc Automator

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for AHC workflow automation, but it can read local email, automatically change ClickUp and Pipedrive records, and store API tokens in shell profiles without strong approval controls.

Install only if you intentionally want this skill to monitor the named Apple Mail accounts and create or update ClickUp and Pipedrive records from email content. Before enabling it, narrow the trigger phrases, add sender allowlists and approval gates, avoid storing API tokens in shell profiles, verify or disable cron jobs, and remember that WhatsApp delivery is not actually implemented in the included code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
                '''
                
                result = subprocess.run(['osascript', '-e', script], 
                                      capture_output=True, text=True)
                
                if result.returncode == 0:
Confidence
89% confidence
Finding
result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes and invokes broad capabilities including environment-variable access, file reads/writes, networked API use, and shell execution, but does not declare permissions or clearly constrain them. This creates a transparency and governance gap: an operator may approve or run the skill without understanding it can inspect local state, write logs/files, and invoke host commands.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill states it processes Apple Mail via osascript integration, which is a host-level automation capability that can control local applications beyond simple API-based workflow automation. Because this access is not prominently declared or bounded, it expands the trust boundary to the user's desktop and email client, increasing risk of unintended data access or command execution through local scripting.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This utility reads local mailbox contents by executing AppleScript against Apple Mail, giving the skill access to sensitive local data and process execution primitives. In an automation skill that also sends data to ClickUp and Pipedrive, that combination raises the risk of private email content being collected and forwarded externally without clear boundaries.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script inspects host cron configuration, which exceeds the manifest’s stated business-workflow automation purpose and grants the skill visibility into local system scheduling. In agent environments, this kind of host reconnaissance can expose operational metadata and normalize infrastructure inspection unrelated to user-requested AHC workflows.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Checking disk usage via OS command execution introduces infrastructure-monitoring capability outside the declared scope of email/ClickUp/Pipedrive automation. In a skill context, this broadens host observability and may reveal system layout and resource conditions that are unnecessary for normal workflow execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The notifier advertises WhatsApp delivery but the implementation only writes messages to logs while reporting success. In an automation workflow, this can silently suppress operational alerts, onboarding notices, or error notifications, causing users to rely on a control that does not actually work and potentially exposing sensitive notification content in local logs instead.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code comments and function names indicate real notification sending, yet the methods only log placeholders and still return success objects. This is dangerous because downstream systems may treat alerts as delivered, masking failures during client onboarding, project completion, or error handling and weakening operational security monitoring.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow monitors employee email accounts, parses message content, and propagates extracted information into ClickUp, Pipedrive, and WhatsApp without any explicit privacy notice, consent boundary, or data-minimization guidance. This is dangerous because email content may contain customer, commercial, or personal data that gets copied across multiple external systems automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The onboarding flow creates client records and sends welcome emails automatically, but the skill provides no warning that it performs external communications and customer data processing. This can lead to accidental outreach, premature CRM record creation, and disclosure of customer information if triggered with incorrect or unverified input.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The completion workflow can generate invoices, send surveys, and notify stakeholders when triggered, yet there is no explicit warning about these irreversible or business-critical side effects. A mistaken trigger could produce financial records, customer communications, and status changes that are costly or difficult to undo.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The email-trigger phrases are broad, generic, and include common terms like 'clickup', 'pipedrive', 'add deal', and 'nova tarefa', which creates a real risk of unintended automation from ordinary email content. In this skill’s context, those triggers can automatically create tasks or deals across ClickUp and Pipedrive, so accidental or spoofed emails could cause unauthorized state changes in business systems.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README describes automated email monitoring and forwarding-derived actions into ClickUp, Pipedrive, and WhatsApp-like notifications without clearly warning about privacy, consent, or data-sharing implications. In a business workflow context, this can lead to unauthorized processing of personal or confidential email content across multiple third-party systems, increasing compliance and data leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell users to append long-lived API tokens directly into shell startup files, which can expose credentials to local compromise, accidental disclosure through backups/dotfile syncing, or debugging output. Persisting secrets this way without a warning or more secure alternative normalizes weak credential handling and can lead to unauthorized access to ClickUp and Pipedrive accounts.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The function accesses mailbox contents with no visible disclosure, consent flow, or audit trail, which is risky because email content is highly sensitive. In this skill context, silent email access is more dangerous because the same module contains CRM/task integrations that could transmit extracted content to third-party services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically forwards email-derived subject/body data into ClickUp task creation and WhatsApp notifications without any explicit confirmation, warning, or visible consent step in this workflow. In this business-automation context, that can cause unintended disclosure of sensitive email contents or trigger unauthorized downstream actions based on spoofed, misrouted, or overly broad emails.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow creates or looks up Pipedrive people and deals directly from parsed email content, then sends notifications, with no visible approval gate or warning in this file. In a CRM automation skill, this increases the risk of data pollution, privacy leakage, and business-process abuse if incoming email data is inaccurate, maliciously crafted, or processed from an unexpected account.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The CLI can directly perform state-changing actions: writing reports to disk, marking ClickUp tasks complete, and sending outbound notifications and survey/invoice triggers, all without an explicit confirmation gate or dry-run default. In an agent or automation context, this increases the chance of accidental execution, causing unintended business workflow changes and external communications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup script collects API tokens and persists them into the user's shell profile in plaintext, which creates long-lived credential exposure. Shell startup files are often broadly readable by local tools, backups, support scripts, and terminal history workflows, increasing the blast radius if the host is later compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example test invokes `send_custom_notification(...)`, which appears to perform a real WhatsApp notification as part of a test path, but the script does not clearly warn the user that running tests may trigger an external network action. In a business automation skill, this can cause unintended outbound messages, information leakage, charges, or accidental contact with real customers during what should be a safe validation step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow is designed to automatically transmit client and project data to external SaaS platforms and messaging systems, but the code contains no explicit consent, disclosure, or confirmation gate before data leaves the local environment. In an automation skill handling customer onboarding and project management, this increases privacy and compliance risk because personally identifiable and commercially sensitive information may be shared more broadly than the user expects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends client email to Pipedrive through create_or_find_person() without any visible notice or confirmation that contact data will be uploaded to a third-party CRM. Because this workflow explicitly handles client management, the skill context makes the exposure more significant: it is expected to process real customer records, so undisclosed sharing can trigger privacy, contractual, or regulatory issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The WhatsApp notification includes client name, project type, priority, duration, and team details, then sends that information externally without a clear disclosure that messaging will occur. This is risky because messaging channels often have broader visibility and weaker retention controls than internal systems, so project and client data may be exposed to unintended recipients or persist in third-party infrastructure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal