ClawHub

Footprint

Security checks across malware telemetry and agentic risk

Overview

This Footprint skill is not malicious, but it gives an agent broad authenticated power to connect to services and make direct API changes without clear safeguards.

Install only if you are comfortable giving Membrane delegated access to the relevant Footprint account. Use a least-privileged account, confirm any create/update/delete, billing, credential, role, export, or destruction action before it runs, and consider pinning or reviewing the Membrane CLI package instead of installing the latest global version blindly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a Footprint-specific integration, but its documented workflow allows creating connections for arbitrary apps and then issuing generic proxied requests. That broad capability can let an agent operate outside the declared scope, increasing the risk of unauthorized access or unintended actions against other services.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation names a Footprint URL but also states that if no known app is found, a connector is created automatically for any unmatched app. This contradiction weakens scope boundaries and can mislead an agent into treating a general app-connection mechanism as if it were Footprint-only.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation condition says to use the skill when the user wants to interact with Footprint data, which is broad and underspecified. In combination with the skill's wide action surface, this can cause over-invocation and unnecessary exposure to powerful connection and request capabilities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The proxy section documents direct API access with mutating methods including POST, PUT, PATCH, and DELETE, but does not warn about destructive operations or require confirmation. This makes it easier for an agent to perform irreversible changes or data loss through raw requests that bypass higher-level safety checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal