ClawHub

Jrv Http Client

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate HTTP client, but it needs review because its redirect handling and TLS-skip option can surprise users when credentials are used.

Install only if you need a broad command-line HTTP client. Avoid using real tokens or passwords with URLs that may redirect, do not use --no-verify except in controlled testing, and treat mutating requests such as POST, PUT, PATCH, and DELETE as actions performed with the full privileges of the supplied credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly describes network access and file writing capabilities, but these are not declared as permissions in the skill metadata. That creates a transparency and governance gap: an agent or reviewer may underestimate the skill's ability to exfiltrate data to remote endpoints or write potentially sensitive response content to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated description presents a general HTTP client, but the documented behavior includes materially riskier features such as disabling TLS verification, following redirects, verbose header display, and writing responses to disk. This mismatch can mislead users and agents about the real attack surface, increasing the chance of unsafe invocation with secrets or untrusted endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation advertises Bearer, Basic, and API-key authentication plus request submission to remote services, but does not warn that credentials and request bodies will be transmitted externally. In an agent setting, that omission can lead to accidental disclosure of secrets or private data to third-party systems.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description mentions request history logging but does not explain what is retained locally or whether sensitive headers and bodies may be captured. Local persistence of request metadata and secrets can create a secondary exposure path through logs, shell history, or shared workspaces.

Missing User Warnings

High
Confidence
98% confidence
Finding
Offering --no-verify without an explicit warning normalizes disabling TLS certificate validation, which enables man-in-the-middle interception and tampering of supposedly HTTPS-protected traffic. This is especially dangerous because the tool also supports sending authentication credentials and API keys.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| `--output <file>` | Save response body to file |
| `--output-json` | Output full response as JSON (status, headers, body, timing) |
| `--timing` | Show request/response timing |
| `--no-verify` | Skip TLS certificate verification |
| `--verbose` | Show request headers sent |

## Response Format
Confidence
97% confidence
Finding
--no-verify

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal