ClawHub

Appdrag

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about using Membrane for AppDrag, but it gives broad authenticated power to modify files, databases, newsletters, email, and raw API endpoints without clear safeguards.

Install only if you intend to let an agent operate your AppDrag account through Membrane. Require explicit confirmation before deletes, writes, renames, SQL execution, newsletter changes, email sending, or any raw proxy request, and connect only the AppDrag account and projects the agent is allowed to manage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest and top-level description say the skill is for managing organizations, but the body exposes a much broader operational surface including file management, SQL execution, email, and arbitrary AppDrag interactions. This scope mismatch can cause an orchestrating agent or user to invoke the skill under false assumptions, leading to over-privileged use and unexpected destructive or sensitive actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The proxy-request feature enables arbitrary API access through the established AppDrag connection, effectively bypassing the narrower action catalog and allowing operations far beyond the declared purpose. In an agent setting, this expands the reachable attack surface and can enable unauthorized reads, writes, or destructive changes if prompts or routing are too broad.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The published 'popular actions' include sending email, deleting files and directories, and executing raw SQL, none of which align with a narrowly described organization-management skill. This broad and destructive capability set increases the chance of misuse, accidental invocation, or privilege escalation through overly permissive skill selection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad enough that an agent may select this skill for generic AppDrag tasks, even when the user did not intend to authorize broad administration. Because the skill also exposes powerful actions, ambiguous routing materially raises the risk of inappropriate tool use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation advertises destructive capabilities such as deleting files, deleting directories, deleting newsletter lists, and executing SQL without warning about irreversible effects or recommending confirmation. In an autonomous or semi-autonomous workflow, that omission increases the likelihood of accidental destructive actions and insufficient user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal