ClawHub

SAAS Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a SaaS planning prompt generator, but it can steer agents toward payments, deployments, and public launches without clear approval controls.

Use this skill for planning unless you deliberately want an agent to act. Review generated subagent prompts before running them, treat the factory status as mock unless connected to real data, and require explicit approval before deployment, payment setup, account creation, or public launch actions. Use sandbox or least-privilege credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises orchestration behavior and references scripts that can create or save outputs, yet it declares no permissions despite detected file-write capability. In an agent environment, undeclared write access breaks least-privilege expectations and can allow unreviewed modification of workspace files, logs, prompts, or generated artifacts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill's stated purpose materially overclaims what it actually does, presenting static templates and mock tracking as if it performs real orchestration, monitoring, and revenue management. This can mislead users or higher-level agents into trusting fabricated state, making operational decisions on false data and masking the fact that no real coordination or validation is happening.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal