ClawHub

Followup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Followup integration, but it gives an agent broad authenticated ability to change or delete Followup CRM data without clear approval safeguards.

Install only if you are comfortable granting Membrane-mediated access to your Followup account. Use a least-privileged account if possible, prefer listed actions over raw proxy requests, and require the agent to show the exact endpoint, method, and data before any create, update, or delete operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest says the skill is for managing Organizations and Users, but the body documents broader Followup capabilities such as reminders, tasks, contacts, and generic API access. This mismatch can cause the skill to be invoked in contexts beyond what users or orchestrators expect, increasing the chance of over-privileged or unintended operations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The proxy section allows direct requests to arbitrary Followup API endpoints through an authenticated connection, which is materially broader than the declared skill purpose. That enables access to undocumented or destructive API operations and bypasses the safety boundaries implied by curated actions, making misuse or excessive access more likely.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough to match generic requests about Followup data, not just the narrower use case suggested by the metadata. Overbroad routing can cause the skill to activate when another tool would be more appropriate, exposing more capabilities than necessary for the user's request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes destructive actions like deleting reminders and unrestricted direct API requests without requiring confirmation or warning about side effects. In an agent setting, this increases the risk that the tool performs state-changing or irreversible operations without adequate user awareness or review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal