ClawHub

Envoy

Security checks across malware telemetry and agentic risk

Overview

This Envoy skill can access and change live workplace data, but its description is inconsistent and its authenticated API proxy is too broad for the guidance provided.

Install only if you specifically want an Envoy workplace or visitor-management connector through Membrane. Verify the exact Envoy account and OAuth permissions before connecting, require explicit approval before creating invites or reservations, and avoid raw proxy requests unless you understand the endpoint, method, and impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest describes CRM-style objects such as Persons, Organizations, Deals, and Leads, while the rest of the skill implements workplace and visitor-management operations. This mismatch can mislead an agent or user into invoking the skill under the wrong assumptions, causing unintended access to employee, visitor, reservation, or invite data. In a tool-selection pipeline, deceptive or inaccurate metadata is security-relevant because it can route sensitive requests to an unexpected integration.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The overview claims this is Envoy service-mesh software, but the documented actions clearly target the workplace/visitor-management SaaS product. This contradiction increases the chance that an agent or user will misunderstand the system being accessed and mishandle sensitive office, employee, visitor, or reservation data. Misidentification of the target platform is dangerous in security-sensitive automation because it undermines informed consent and correct operational safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises actions like creating reservations and visitor invites without clearly warning that these operations change live external records. An autonomous agent could perform state-changing actions on behalf of a user without explicit awareness of the business impact, potentially creating unauthorized bookings or visitor entries. In this context, the skill interacts with real workplace operations, so silent write capabilities are materially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy section permits arbitrary API requests with POST, PUT, PATCH, and DELETE while providing no safety guidance about destructive operations or access to sensitive employee and visitor data. This effectively exposes a generic authenticated API client that could bypass the safer action abstractions and perform broad unauthorized reads or writes if an agent is induced to use it. Because Membrane injects valid auth automatically, misuse could directly affect production Envoy data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal