ClawHub

Bitbucket

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Bitbucket integration, but it grants broad authenticated Bitbucket write and proxy access without clear confirmation or scope limits.

Install only if you trust Membrane with access to the Bitbucket workspaces you connect. Use least-privileged Bitbucket access where possible, review OAuth scopes, require explicit confirmation before create/update/delete/comment/proxy actions, and revoke the Membrane connection when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill exposes a generic proxy request capability that can reach arbitrary Bitbucket API endpoints, but the manifest/description does not clearly disclose that breadth. This can cause the skill to be invoked for seemingly routine Bitbucket tasks while actually enabling much broader read/write operations than users or orchestrators may expect.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation text is broad enough that an agent may select this skill for generic Bitbucket-related requests without clear limits on safe operations. In a skill that includes both write-capable actions and arbitrary proxying, vague routing language increases the chance of over-privileged use or unintended destructive operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation advertises creation, update, and direct request capabilities against live Bitbucket resources without warning that these actions can modify repositories, issues, pull requests, and other remote data. In agentic contexts, lack of confirmation guidance materially raises the risk of accidental state changes in production workspaces.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal