ClawHub
Back to skill

Security audit

04 Smb Client Onboarding

Security checks across malware telemetry and agentic risk

Overview

This skill is framed as client-onboarding automation, but it under-discloses external AI data sharing and overstates integrations that the executable mostly does not perform.

Review before installing. Treat this as a local tracker with optional external LLM reminder generation, not a complete onboarding automation. Do not run it with real client data or LLM/API credentials unless you are comfortable sending names, emails, and onboarding status to the configured LLM endpoint, and verify all promised CRM, payment, email, and messaging actions manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Tainted flow: 'req' from os.environ.get (line 134, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"User-Agent": USER_AGENT,
            }
        )
        with urllib.request.urlopen(req, timeout=30) as r:
            result = json.loads(r.read())
            return result["choices"][0]["message"]["content"].strip()
    except Exception:
Confidence
94% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as r:

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation indicates capabilities that would require network access, writing data, and possibly reading environment-backed credentials, yet it declares no permissions or user-facing authorization boundaries. In a workflow that sends emails, creates CRM records, generates payment links, and posts to messaging systems, missing permission declarations undermine transparency and consent for sensitive external actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
A description-behavior mismatch is dangerous because users may approve the skill for one scope while it performs additional actions such as external LLM calls, pricing/tier gating, or simulated rather than actual automation. In this onboarding context, hidden external processing can expose client PII or create false assumptions that operational tasks were completed when they were not.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest omits messaging behaviors like WhatsApp, mailing-list enrollment, and Telegram digests, which are material external actions involving client contact data. Undisclosed communication channels increase the risk of unauthorized outreach, privacy violations, and data sharing with third parties beyond what the user expected.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill accesses generic LLM credentials and uses them to send client onboarding content to an external LLM service, which is outside the stated need of local onboarding tracking. In this context, client names, contact emails, and pending business workflow details are transmitted off-system without clear necessity or consent, creating a real data exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill automates externally visible actions—sending outreach, creating CRM/project artifacts, issuing payment links, and messaging teams—without explicit warning that it will affect client data and third-party systems. In a business onboarding workflow, this can lead to unintended disclosures, premature client contact, accidental billing actions, and irreversible records being created across integrated platforms.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The marketing copy describes a single broad "new client" trigger without defining what event source, validation, deduplication, or approval conditions actually cause the workflow to run. In a skill that can send emails, create accounts, schedule meetings, and initiate payment-related setup, ambiguous activation increases the risk of accidental or unauthorized onboarding actions against the wrong person or duplicate client records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description promotes automation across email, CRM, payments, project tools, and messaging without warning users that the workflow may create accounts, transmit client data, send communications, or configure billing-related steps. In this context, omission of warnings can mislead users into enabling a high-impact automation without understanding privacy, consent, financial, and operational risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends client contact data and onboarding status to an external LLM provider without any user-facing warning, consent, or disclosure. In a business onboarding context this increases risk because the data is customer-related and operationally sensitive, and users would reasonably expect local processing unless told otherwise.

Ssd 3

Medium
Confidence
97% confidence
Finding
The reminder prompt includes client name, contact email, and stuck onboarding steps, all of which are sent to a third-party LLM. Embedding this business and personal data in prompts creates unnecessary exposure, especially since reminder generation can be done with a local template.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal