ClawHub

ActiveCampaign (50+ Capabilities)

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for ActiveCampaign reporting, but it needs review because some instructions can change CRM data through raw API commands that bypass the advertised write safeguards.

Review before installing if this token can modify important ActiveCampaign data. Use a dedicated least-privileged AC integration user, set AC_READ_ONLY=1 for analysis-only use, avoid running raw curl write examples, and avoid passing tokens directly on the command line or storing them in shell history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Credential Access

High
Category
Privilege Escalation
Content
print("To set credentials:")
        print("  export AC_API_URL='https://YOURACCOUNT.api-us1.com'   # in your shell profile")
        print("  export AC_API_TOKEN='YOUR-TOKEN'                       # in your shell profile")
        print("  # or, if keyring is installed:")
        print("  python3 scripts/auth.py set <url> <token>")
        return 1
    return 0
Confidence
72% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
sub.add_parser("status", help="Show where credentials resolve from")

    p_set = sub.add_parser("set", help="Store URL and token in the OS keychain")
    p_set.add_argument("url")
    p_set.add_argument("token")
Confidence
78% confidence
Finding
keychain

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal