Clutch

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CAD-generation workflow for a clutch service, but it has a category-ID inconsistency that users should verify before relying on its product list.

Before installing, confirm with the publisher or service documentation whether clutch products should be fetched with category 31 or 8. Use the skill only if you are comfortable sending design parameters to jixietools.com and creating a guest production sheet link that can be opened with its guest code.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The skill declares a clutch category ID of 31 but instructs the agent to fetch products using category_id=8, creating a mismatch between the advertised function and the actual remote data accessed. This can misroute users to unintended products, cause incorrect production-sheet creation, and undermine trust in what external actions the agent is taking.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal