ClawHub

Pub Slack

Security checks across malware telemetry and agentic risk

Overview

This Slack-labeled skill actually grants broad SkillBoss API capabilities, including email and SMS actions that need careful review.

Install only if you intend to give the agent access to a broad SkillBoss API key, not just Slack automation. Require explicit human approval before email, SMS, OTP, batch messaging, document parsing, or smart-routed provider actions, and avoid sending sensitive workplace content unless you accept external processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest presents this as a Slack-control skill, but the body actually documents a generic third-party API gateway with broad AI, messaging, email, SMS, and scraping capabilities. This mismatch is dangerous because it defeats least-privilege expectations, can mislead reviewers and users about what the skill can do, and may cause the agent to invoke unrelated high-risk actions under a trusted Slack label.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill includes email sending and SMS/OTP flows even though the stated purpose is Slack control. These are externally impactful actions that can contact third parties, trigger verification workflows, or be abused for spam, phishing support, or account-interaction operations without users realizing the skill has those powers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes a large set of unrelated model-execution, media-generation, scraping, and routing features that are not justified by a Slack-control description. This broad capability surface increases the chance of misuse, accidental data disclosure, policy bypass through alternate providers, and makes review much harder because the declared purpose no longer bounds expected behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented tool catalog exposes capabilities well beyond the skill's stated Slack-focused purpose, including document parsing, email, SMS, embeddings, and presentation generation. This kind of scope mismatch can mislead users and reviewers about what the skill can do, increasing the risk of unexpected data exfiltration, unauthorized communications, or hidden multi-purpose use if these tools are wired into the skill.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file presents a Slack-oriented skill while advertising broad unrelated model families, which creates a trust and transparency problem. Users may grant approval assuming limited Slack actions, while the documented capability set suggests a much wider operational surface that could be abused for messaging, document handling, or external service use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs sending prompts, audio, documents, images, search queries, and other content to an external API aggregator and downstream providers without any privacy, retention, or data-handling notice. In context, this is risky because users may reasonably believe they are using a Slack-focused local integration, while the skill can transmit potentially sensitive workplace content to multiple external services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents actions that can affect external systems—sending email and initiating or checking SMS OTP workflows—without warning about user impact or operational consequences. In a skill advertised for Slack control, that omission is particularly dangerous because users may not anticipate third-party communications or verification side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown documents email and SMS sending functions without any warning about external transmission, recipient targeting, cost, privacy, or consent requirements. In an agent skill, silent access to outbound messaging is dangerous because it can enable spam, data leakage, social engineering, or unauthorized notifications if users are not clearly informed.

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium
Category
Data Exfiltration
Content
## Document Processing

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
81% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Send OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
86% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Verify OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
85% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Run a task:

```bash
curl -s -X POST https://api.heybossai.com/v1/pilot \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
https://api.heybossai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal