ClawHub

MCP OAuth

Security checks across malware telemetry and agentic risk

Overview

This instruction-only OAuth skill is purpose-aligned, but its sample authentication flow is under-scoped for production use and could lead users to deploy weak OAuth protections.

Treat this skill as a draft pattern, not a production-ready OAuth implementation. Before installing or following it, require exact redirect URI registration and validation, client_id validation, auth-code records tied to client_id/redirect_uri/code_challenge, code_verifier verification at token exchange, tool-level auth enforcement tests, and strong Redis/token handling including encryption where available, least-privilege scopes, no secret logging, revocation, and short practical TTLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The authorization and token flow shown in the skill does not bind authorization codes to a registered client or verify the caller's PKCE proof at token exchange. That breaks a core OAuth security property: a stolen or injected authorization code can potentially be redeemed by an attacker, and unregistered clients can enter the flow with insufficient validation. In an auth skill, this is especially dangerous because users are likely to copy the sample verbatim into production.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly claims a 'full MCP authorization spec' implementation, but the sample token endpoint never performs PKCE verification. This can mislead implementers into believing the flow is standards-compliant and secure when a critical protection against authorization code interception is missing. Because the skill is about adding authentication, insecure guidance directly undermines the security boundary it is meant to create.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill recommends storing upstream access and refresh tokens in Redis for long periods without explicit handling guidance for sensitive credentials. If Redis access is exposed, logs leak values, or keys are reused insecurely, attackers could obtain long-lived upstream tokens and access user data beyond the MCP server itself. The context increases risk because these are delegated OAuth credentials for third-party services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal