ClawHub

Aevent

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate-looking AEvent/Membrane integration, but it gives agents broad authenticated write, delete, ban, and raw API powers without enough built-in guardrails.

Install only if you trust Membrane and intend to let an agent operate on your AEvent account. Before any create, delete, ban, unban, or proxy request, require the agent to show the exact connection, resource IDs, endpoint or action, parameters, and expected impact, then confirm manually. Consider revoking the Membrane connection when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill advertises a scoped AEvent integration, but the proxy section explicitly enables arbitrary authenticated requests to any endpoint reachable through the connection. That broadens capability beyond the declared action set and can expose undocumented, sensitive, or destructive APIs if an agent uses the proxy without additional policy checks.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation condition 'Use when the user wants to interact with AEvent data' is overly broad and may cause the skill to trigger in ambiguous situations. In practice, that can lead an agent to invoke powerful read/write capabilities, including destructive or privacy-impacting actions, without sufficiently narrow user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes destructive actions such as deleting webinars, forms, and media files without requiring confirmation or warning about irreversible effects. An agent following this guidance could perform accidental deletion based on an imprecise request or hallucinated mapping of IDs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Ban and unban operations affect user access and can have privacy and account governance consequences, yet the skill provides no warning or verification guidance. This increases the risk of wrongful restriction, misuse against attendees, or policy violations from unreviewed enforcement actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal