ClawHub

Trello Orchestrator Runner

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Trello automation helper whose Trello credentials and board/card changes fit its stated purpose, though users should treat those actions as real account changes.

Install only if you intend to let the agent act on your Trello account. Use the least-privileged Trello token available, do not paste credentials into chat or logs, and require a clear summary and confirmation before it creates, updates, comments on, moves, archives, or deletes Trello items.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description is broadly phrased ('run tasks from Trello automatically') and can match common user intents, increasing the chance the skill is invoked in situations where the user did not explicitly consent to Trello-backed automation. Because the skill performs stateful workflow actions and networked API operations, over-broad triggering raises the risk of unintended external side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requires `TRELLO_API_KEY` and `TRELLO_TOKEN` and directs Trello API usage, but does not warn about sensitive secret handling, external network calls, or the consequences of modifying third-party resources. In a workflow automation skill that creates, updates, comments on, and moves cards, this omission makes accidental credential exposure and unintended remote actions more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal