ClawHub

0Codekit

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Membrane-based 0CodeKit skill, but it gives an agent broad authenticated action and raw API request capability without enough scoping or safety guidance.

Review before installing. Use a least-privilege Membrane/0CodeKit account, check exactly which services and scopes are connected, and require explicit approval before running write/delete actions or raw proxy requests. The pending VirusTotal result is not the basis for this verdict; the concern comes from the artifact's own broad authenticated capabilities and limited safety scoping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is presented as a narrow 0codekit workspace-management integration, but the body exposes a highly generic Membrane interface spanning many unrelated services, data stores, messaging systems, cloud storage providers, and utility functions. This scope mismatch is dangerous because it can cause overbroad invocation, unexpected cross-service access, and user/operator misunderstanding about what permissions and actions the skill may exercise.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Documenting generic capabilities such as JWT encode/decode, encryption/decryption, OCR, regex evaluation, and image generation materially expands the operational scope beyond managing 0codekit workspaces. Even if these are merely discoverable actions, exposing them in this skill increases the chance the agent will perform sensitive transformations or security-relevant operations unrelated to the user's intent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documented proxy-request feature permits arbitrary direct API calls through Membrane, which bypasses the safety and predictability of a curated action set. In the context of a supposedly narrow 0codekit skill, this can enable destructive or privacy-impacting requests to connected services, especially if the agent constructs paths or methods from user input without strict controls.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation description is broad enough that the skill could be selected for many generic requests about interacting with external data, not just 0codekit workspaces. Over-triggering increases the chance that the agent will route requests into an overly powerful integration and perform actions outside the user's expectations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The description does not warn users that the skill may connect to external services and access, modify, or proxy data across many systems. Without privacy and action-impact disclosures, users may not understand that invoking the skill could expose sensitive business, personal, or authentication-related data to broad integrations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The proxy-request section explains how to send arbitrary API calls but omits a clear warning that these requests may be destructive, privacy-invasive, or broader than curated actions. This omission is especially dangerous because users may assume a documented capability is safe-by-default when it can issue PUT, PATCH, POST, and DELETE requests against connected systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal