Back to skill

Security audit

Convbox DiagClaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Convbox storefront analytics/reporting skill that reads business data and an API key to produce recommendations, without evidence of hidden exfiltration or automatic account changes.

Install only if you trust Convbox/RTOAI with the store connected to your CONVBOX_API_KEY. Expect the skill to read aggregated marketing, attribution, funnel, tracking, and connected-account metadata, and to save store profile/benchmark preferences in memory for future reports. Review health-check runs because they may probe all declared Convbox endpoints, but the artifacts show recommendations only, not automatic campaign or storefront changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares access to environment variables, file reads, and network-like behavior through its documented workflow, but does not explicitly declare permissions. This weakens reviewability and policy enforcement because operators cannot easily see that the skill reads memory, uses an API key, and reaches external Convbox endpoints. In a skill that handles business data and secrets-adjacent configuration, hidden capabilities increase the chance of over-privileged or unexpected execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is storefront analysis, but the skill also routes into a configuration-health-check utility that validates API keys, probes endpoints, discovers connection/account context, and performs schema checks. That materially expands behavior into credential and infrastructure diagnostics, which can cause unexpected outbound requests and expose sensitive operational metadata beyond what a user would infer from the description. Description-behavior mismatch is especially risky in agent skills because users may authorize a benign-seeming report generator that actually performs broader reconnaissance-like actions.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill claims it is a leaf node that does not call tools or Agent.Skills, yet elsewhere instructs invocation of utilities including a config-health-check skill. This inconsistency undermines trust boundaries and makes it harder to reason about what code paths can execute, especially when those utilities may perform network probes and schema validation. In practice, misleading call-chain documentation can bypass reviewer expectations and lead to unapproved capability expansion.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The plan explicitly instructs the agent to write confirmed or overridden health thresholds to persistent memory for future reuse. In a diagnostics/reporting skill, persistent writes create stateful side effects that can outlive the session, potentially storing incorrect, sensitive, or user-manipulated business baselines and influencing later analyses without fresh consent. The skill context makes this more concerning because it is framed as analysis/reporting rather than account configuration, so users may not expect durable state changes.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The plan explicitly says to default to Google search when the user does not specify a search channel. That can cause the agent to proceed with analysis against an assumed platform without explicit user confirmation, which may produce incorrect conclusions, fetch the wrong account data, or analyze a channel the user did not intend. In this skill context the impact is limited because the action is diagnostic rather than directly mutating systems, but it still creates a data-scope and consent problem.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing examples include very broad, everyday phrases like "anything wrong with my campaigns" and "what's off today," which can cause the skill to be selected for vague user requests that may not actually seek campaign-anomaly analysis. In a multi-skill agent, this increases the chance of unintended invocation, leading to incorrect analysis paths, unnecessary data access, and confusion in downstream dispatch to other plans.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation examples include broad phrases like "why did CVR drop" and "where are users dropping off," which can overlap with many adjacent analytics or troubleshooting requests. In a router-driven skill system, this increases the chance of misrouting user intent into this plan, causing the agent to fetch or analyze the wrong business data and produce misleading conclusions or unnecessary downstream chaining.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
access.yaml:9