ClawHub

Crm Manager Skill

Security checks across malware telemetry and agentic risk

Overview

This is a local CRM skill with mostly coherent behavior, but it stores sensitive customer data and has unsafe file path handling that warrants review before use.

Review before installing or using with real customer data. Keep it in a trusted workspace, do not use customer names containing slashes, dots, or path-like characters, and require backups plus manual confirmation for writes. The maintainer should add filename validation/path containment, scoped permission metadata, dependency declarations, and privacy/retention guidance before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly performs file reads and writes to persist customer records, but no permissions are declared. This creates a transparency and governance gap: operators and users cannot accurately assess the skill's access scope, and permission enforcement may be bypassed or misconfigured for PII-bearing data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
A description-behavior mismatch is security-relevant because it undermines informed consent and review: the skill appears to do more than the stated CRM CRUD and analytics workflow, including bulk analysis and auto-tagging. Hidden or under-documented processing of all customer records increases privacy and abuse risk, especially when handling personal and behavioral data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script builds the output path with `os.path.join(data_dir, f"{name}.yaml")` using untrusted customer `name` input without sanitization or canonical path checks. An attacker can supply path traversal sequences such as `../../...` or absolute-path-like values to cause file creation outside `data/customers`, potentially overwriting application files or planting attacker-controlled YAML files elsewhere on the filesystem.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The customer name is directly incorporated into a filesystem path via f"{name}.yaml" without validation or canonical path checks. An attacker can supply path traversal sequences such as ../ to cause the script to read arbitrary YAML files outside the intended customer directory, which is especially dangerous in a CRM context because the tool already handles sensitive records and may expose other internal files if they are readable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill stores and queries customer PII such as names, phone numbers, email addresses, and potentially sensitive service notes, yet the description lacks any privacy warning, handling guidance, or retention/security expectations. This increases the likelihood of inappropriate collection, over-sharing, and unsafe storage of personal data.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Broad trigger conditions for update/note/service-record actions can match ordinary conversation and cause unintended writes to customer files. In a CRM context, accidental invocation is especially risky because it can silently alter records, append misleading notes, or store sensitive conversational content as persistent business data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
A query trigger that activates merely on mention of a customer's name can expose customer records during normal conversation without clear user intent. In this skill's context, that could reveal contact details, notes, and service history, making unintended disclosure of PII more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs a state-changing write operation immediately after NLP parsing unless the optional --confirm flag is provided. In an agent or automation context, this can cause unintended customer record creation or corruption from mis-parsed natural language, with no mandatory human verification before persistence.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Automatic tag updates modify customer metadata as a side effect of adding a service record, but there is no separate confirmation or clear warning for this additional write. This increases the risk of silent profile drift, incorrect segmentation, or downstream business decisions based on tags generated from imperfect NLP extraction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal