ClawHub

Perfect Agent Comms

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent-to-agent bridge, but it needs Review because it creates persistent autonomous communication and includes under-documented destructive and broad workspace-control behavior.

Install only if you intend to run a persistent bridge between agents you control. Before use, remove or restrict /api/clear, bind or firewall the server, use HTTPS/TLS for non-local traffic, protect and rotate the shared token, keep bridge-derived state in dedicated files, and review cron jobs so remote messages cannot silently drive broad workspace actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes substantial capabilities including environment-variable handling, file writes, shell commands, background process management, and HTTP communication, yet no explicit permission declaration is present. That mismatch weakens operator review and consent, because users may invoke a skill with broader powers than they were led to expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims constrained communication and 'no external network calls,' but the described helper behavior depends on arbitrary BRIDGE_URL configuration and the analysis indicates additional undocumented endpoints including a destructive clear operation. Description-behavior mismatches are dangerous because they hide real attack surface and can cause operators to deploy the skill in more permissive environments than intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The GET /api/clear endpoint permanently deletes both message queues, allowing any authenticated caller to erase pending communications and disrupt agent-to-agent messaging. In this skill's context, the bridge is supposed to preserve and relay inter-agent messages, so a state-destroying endpoint materially increases the risk of denial of service or loss of operational data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The template instructs periodic HTTP requests with bearer-token authentication to a configurable bridge without warning that agent content and replies may be transmitted to another host. In this skill context, the agent is also told to read workspace context files before replying, which increases the chance of silently exfiltrating sensitive local data to a remote bridge service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The template directs an autonomous cron-driven agent to update workspace context files and timestamp files without disclosing that it will perform automated writes. In practice, this can cause silent state changes, contamination of memory/context files, or persistence of attacker-influenced content received through the bridge.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
A destructive endpoint that deletes inbox and outbox state without any warning, confirmation, or clear disclosure makes accidental or intentional message loss easy. Because this bridge is used for autonomous agent communication, silent deletion can cause missed commands, broken workflows, and hard-to-debug outages.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal