ClawHub

Donedone

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate DoneDone integration, but it deserves review because it can permanently delete or broadly modify account data without built-in confirmation guidance.

Install only if you trust Membrane and intend to let an agent access your DoneDone account. Use the least-privileged DoneDone account available, prefer listed Membrane actions over raw proxy requests, and require explicit confirmation before creating, updating, deleting, or sending custom API requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description says the skill manages Projects and Companies, but the body documents broader capabilities including tasks, mailboxes, conversations, workflows, and arbitrary proxied API requests. This mismatch can cause the agent or user to invoke the skill under incomplete assumptions, increasing the chance of unexpected high-impact operations being performed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance says to use the skill whenever the user wants to interact with DoneDone data, which is broad enough to trigger the skill for many requests without clarifying sensitivity or operation type. Overbroad routing increases the chance that destructive or high-privilege actions are selected without first establishing user intent and authorization boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises permanently destructive actions like deleting tasks and conversations but provides no warning, confirmation requirement, or recovery guidance. In an agent setting, this can lead to irreversible data loss if the wrong action is selected or ambiguous user input is interpreted too aggressively.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal