ClawHub

Ecologi

Security checks across malware telemetry and agentic risk

Overview

This Ecologi skill should be reviewed carefully because it can connect an account and run purchase actions, while its description is partly misleading.

Install only if you intend to connect an Ecologi account through Membrane. Treat purchases and direct API proxy calls as requiring explicit user approval with item, quantity, price, and currency reviewed first, and be aware the published description may route agents to this skill for unsupported CRM tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises broad CRM capabilities (persons, organizations, deals, leads, projects, activities) that are not reflected anywhere else in the skill, which actually targets Ecologi environmental-impact APIs. This mismatch can cause an agent or user to invoke the skill under false assumptions, leading to inappropriate access attempts, incorrect task routing, or unsafe action selection based on capabilities the skill does not have.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes purchase actions such as buying carbon avoidance credits or trees without any requirement for explicit user confirmation, preview of cost, or warning that the operation may create a financial commitment. In an agent setting, this increases the risk of unintended or unauthorized purchases if the model selects an action autonomously or from ambiguous user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal