ClawHub

Firmao

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Firmao integration, but it exposes broad authenticated CRM and invoice-changing access beyond what the short description makes clear.

Install only if you trust Membrane and intend to grant delegated access to your Firmao account. Use the least-privileged Firmao account available, review every action payload before running create or proxy commands, avoid DELETE or write methods unless explicitly intended, and revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest and top-level description understate the skill’s actual capabilities. The documentation exposes broad CRM/project operations and direct API access, which can cause an orchestrator or user to invoke the skill under the false assumption that it only manages organizations and users, increasing the risk of unintended access or mutation of unrelated business data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The proxy feature enables arbitrary authenticated requests, including write and delete operations, far beyond the enumerated actions. Without prominently declaring this expanded capability, the skill can be selected for routine data interaction while secretly enabling unrestricted remote API manipulation, which materially increases the blast radius of misuse or prompt-driven errors.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation description is broad enough to match many generic CRM-related requests, which can cause over-selection of this skill in contexts where its powerful capabilities are unnecessary. Because the skill includes broad data access and proxy functionality, an overly permissive trigger increases the chance of accidental use against sensitive customer and financial data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation lists actions such as creating customers and invoices, and separately documents raw proxy requests, but does not clearly warn that these operations can create, modify, or delete live CRM records. In an agent setting, missing mutation warnings reduce informed user consent and increase the risk of accidental state-changing operations in production systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal