ClawHub

Zapier MCP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Zapier connector, but it handles a powerful secret URL with loose endpoint validation and visible display.

Install only if you intentionally want your agent to use Zapier actions. Verify the URL starts with the official Zapier MCP domain, limit the actions exposed in Zapier, avoid sharing or screen-capturing the MCP URL, and require confirmation before actions that send messages, spend money, or modify business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly enables outbound network interaction with Zapier (`actions.zapier.com`) and describes backend RPC methods and mcporter-based remote tool calls, but it declares no permissions. That mismatch is a real security issue because users and hosting systems may not realize the skill can reach external services or transmit sensitive instructions and authenticated MCP URLs off-box.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The handler accepts a user-supplied URL and performs a server-side fetch to it during testing and save flows. Although it restricts input to HTTPS, this still creates an SSRF-style capability that can be used to make the host contact arbitrary external or potentially internal endpoints, which is more sensitive in an integration skill that is specifically designed to broker network connections.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The view displays the full personalized Zapier MCP URL directly in the UI, and such URLs often function as bearer-style connection secrets or contain unique tokens identifying the user's integration. Exposing it without masking or a warning increases the chance of shoulder-surfing, screen-sharing leaks, screenshots, logs, or accidental sharing, which is especially risky here because the skill connects to thousands of third-party app actions through MCP.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal