ClawHub

RPA Caller

Security checks across malware telemetry and agentic risk

Overview

This skill is a visible RPA HTTP-calling helper with sensitive automation powers, but its behavior is disclosed, purpose-aligned, and requires user confirmation before execution.

Install only if you trust the RPA server and understand the workflows it exposes. Before confirming a run, review the endpoint, parameters, submit setting, screenshot setting, file paths, task ID, and whether stopping a task could leave work incomplete. Use a limited-scope API key and avoid pasting high-value credentials into chat when a secret store is available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The documented capability map exposes concrete actions for downloading files and capturing screenshots, which go beyond a narrowly described trigger/query/stop wrapper and materially expand what the skill can cause an agent to do. In an agent setting, these actions can access sensitive files or visual data and increase the risk of unintended data exfiltration or privacy-impacting automation if invoked without stronger scope controls.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad and the skill says it "must" be used when users mention generic automation-related terms. This can cause unintended invocation for ambiguous requests, leading the agent to prepare or send HTTP requests to an RPA system when the user may not have intended an external automated action.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is overly broad and includes mandatory invocation language for many generic automation-related phrases, which can cause the agent to route a wide range of user requests into an HTTP-triggered automation capability without sufficient constraint. In the context of an RPA-calling skill, this increases the chance of unintended task execution, parameter passing, or workflow triggering for ambiguous requests, making misuse materially more dangerous than a normal discoverability issue.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing description says the agent should match user intent to function names and trigger keywords, but it does not define hard boundaries, exclusions, or disambiguation rules. That makes accidental or prompt-induced invocation more likely, especially for operations that can submit forms, stop jobs, or interact with external systems over HTTP.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Several trigger phrases are broad enough to overlap with ordinary conversation, increasing the chance that the agent invokes an RPA action when the user did not mean to automate a real-world task. Because the mapped functions can act on external systems, even a mistaken invocation may produce unwanted submissions, file operations, or workflow side effects.

Vague Triggers

High
Confidence
93% confidence
Finding
The stop-task keywords include highly ambiguous everyday terms such as '终止' or '暂停', which can appear in many non-RPA contexts and may unintentionally map to cancellation behavior. In this skill context, accidental invocation can terminate active automation jobs, potentially causing business disruption, partial transactions, or data inconsistency.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The file documents operations that can download files, submit forms, and capture screenshots but provides no user-facing warning or consent mechanism around privacy, data handling, or system impact. In an agentic environment, that omission makes it easier for users to trigger sensitive actions without understanding that data may be accessed, modified, or recorded.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs the model to ask for BASE_URL and API_KEY and then "remember them in the conversation," which encourages retention of secrets in conversational state. This increases the risk of accidental disclosure, reuse in unrelated contexts, prompt leakage, or exposure through logs and transcripts, especially because the skill performs authenticated HTTP actions against an automation platform.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal