ClawHub

Commcare

Security checks across malware telemetry and agentic risk

Overview

This CommCare integration is coherent, but it gives an agent broad authority over sensitive operational data without enough safeguards for write or delete actions.

Install only if you trust Membrane and need CommCare automation. Use a least-privilege CommCare account or project connection, avoid broad admin access, and require explicit confirmation before any create, update, delete, import, export, migration, role/user, SMS, or project-transfer operation. Revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad enough that an agent could invoke it for generic requests about managing data or records, even when the user's intent is ambiguous. In a skill that can enumerate records, create/update cases, and proxy arbitrary API requests, over-broad routing increases the chance of unnecessary access to sensitive CommCare data or accidental state-changing actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The proxy request section explicitly enables arbitrary HTTP methods including POST, PUT, PATCH, and DELETE, but does not require confirmation or warn about destructive effects. Because this skill targets a live system containing operational and potentially sensitive health-program data, an agent could modify or delete records through raw API calls without sufficient user awareness or safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal