ClawHub

pactflow

Security checks across malware telemetry and agentic risk

Overview

This PactFlow skill is not malicious, but it gives an agent broad workspace administration, webhook, deletion, and secret-handling powers without enough guardrails.

Install only if you intend to let the agent manage a PactFlow or Pact Broker workspace, not just answer general testing questions. Use the least-privileged token available, avoid storing real credentials in project files, keep MCP config out of version control, and require explicit human confirmation before any delete, secret, deployment, or webhook action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The tool reference exposes broad administrative capabilities well beyond the described role of a PactFlow expert assistant, including deletion, environment management, labels, webhooks, and secrets. Expanding a skill's accessible actions beyond its stated purpose increases the chance of misuse, prompt-injection-driven abuse, or accidental high-impact changes in a user's workspace.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Secret-management tools are highly sensitive and are not justified by the assistant's stated contract-testing support role. If the skill can create, update, read, or delete secrets, an attacker or misled agent could exfiltrate credentials, replace secrets to redirect integrations, or break secure workflows across the workspace.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Webhook creation, modification, deletion, and manual execution enable outbound requests and automation triggers that are outside the normal scope of a contract-testing advisory assistant. These capabilities can be abused to send data to attacker-controlled endpoints, trigger unintended side effects in connected systems, or alter CI/CD behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill's trigger criteria include very generic phrases like 'safe to deploy?', 'consumer test', 'OpenAPI contract', and 'service compatibility matrix', which can cause the skill to activate for unrelated software, API, or deployment questions. Over-broad invocation increases the chance the agent will use powerful PactFlow workspace tools in the wrong context, potentially exposing metadata, modifying records, or producing misleading guidance based on an incorrect domain assumption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to place Pact broker credentials in shell profiles and inline shell commands without warning that these locations may be persisted in plaintext, inherited by subprocesses, exposed via shell history, or read by other local users and tools. While common in setup docs, this normalizes insecure secret handling and increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The VS Code project configuration examples embed `PACT_BROKER_TOKEN` or username/password directly in `.vscode/mcp.json` under the project root, which is commonly committed to source control or shared with teammates. This creates a realistic risk of plaintext secret exposure through Git history, backups, workspace sharing, or local compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Cursor global and project configuration examples hardcode broker credentials in plaintext JSON with no caution about local file exposure or accidental repository inclusion for project-level configs. This makes credential theft easier if the machine, home directory, or repository contents are accessed by another user, malware, or support tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document includes multiple installation commands that make system changes, including piping a remotely fetched script directly into `sh`, without any warning or guidance to verify the source, inspect the script, or prefer safer installation paths. In a skill/reference file, users may copy-paste these commands verbatim, creating a realistic supply-chain and host-compromise risk if the upstream script or transport path is ever abused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly recommends security-weak practices for provider verification, including hardcoded credentials and use of a long-lived token, without clear warnings, scope limitations, or secret-handling guidance. In a CI/CD and contract-testing context, readers may copy these patterns into real pipelines or shared test environments, leading to credential leakage, over-privileged access, and persistence of secrets beyond intended use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes destructive operations such as deleting pacticipants, branches, and environments, and notes that some are irreversible, but it does not provide explicit user-warning or confirmation guidance for safe use. In an agent context, absence of clear confirmation requirements increases the likelihood of accidental destructive actions or socially engineered misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Secret-management actions are documented without privacy, redaction, or secure-handling warnings, despite operating on highly sensitive values. In an LLM-assisted environment, this omission can lead to secrets being unnecessarily surfaced to the model, logs, or users, increasing exposure risk even during legitimate workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow documents `contract-testing_delete_branch` and `contract-testing_delete_pacticipant` as routine cleanup actions but provides no warning about their destructive nature, no confirmation step, and no guidance on access control or recovery. In an agent skill context, this increases the chance that an LLM or user may invoke irreversible cleanup operations on live PactFlow data based on an ambiguous request like 'clean up old services' or 'remove stale branches'.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal