ClawHub
Back to skill

Security audit

Temp Access Link

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real temporary file-link service, but it is aimed at sensitive documents while leaving important third-party handling, retention, and download-control details unclear.

Review before installing. Use this only for files you are comfortable sending to api.mkkpro.com, and avoid regulated, confidential, or incident-response documents unless the provider separately documents token-only download enforcement, expiration behavior, deletion, retention, logging, encryption, and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The declared skill purpose is limited to generating temporary access links, but the API also exposes direct upload and direct file-serving endpoints. This expands the capability surface beyond user expectations and safety review scope, increasing the chance of unauthorized storage, data exposure, or bypass of the intended temporary-link control flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages sharing sensitive files and confidential materials through a third-party API but does not warn users that file URLs, metadata, and potentially sensitive content will be transmitted to an external service. This creates a real privacy and compliance risk because users may unknowingly send regulated or confidential data off-platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upload endpoint documentation omits an explicit warning that binary file contents are transmitted to and stored or processed by an external API. Because this endpoint handles raw file uploads, the absence of a disclosure is more dangerous than a generic omission: users may submit sensitive documents under the mistaken belief that processing is local or trusted.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Operations such as generating links, uploading files, and serving files are defined with minimal behavioral constraints and no documented authz, input restrictions, or safe usage boundaries. In an agent context, ambiguous actions can be invoked too broadly or in unintended sequences, leading to accidental exposure of files or misuse of the service.

External Transmission

Medium
Category
Data Exfiltration
Content
```json
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "access_url": "https://api.mkkpro.com/tools/temp-access-link/access/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_at": "2024-01-15T14:30:00Z",
  "status": "success"
}
Confidence
86% confidence
Finding
https://api.mkkpro.com/

External Transmission

Medium
Category
Data Exfiltration
Content
{
  "filename": "sensitive_audit.pdf",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "access_url": "https://api.mkkpro.com/tools/temp-access-link/access/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "status": "uploaded"
}
```
Confidence
92% confidence
Finding
https://api.mkkpro.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.