ClawHub

Helium

Security checks across malware telemetry and agentic risk

Overview

This Helium skill is a legitimate-looking integration, but it needs review because it can perform broad account administration and deletes without clear guardrails.

Install only if you intend to let an agent administer Helium through Membrane. Use a least-privileged Helium/Membrane account where possible, avoid vague prompts for write operations, and require a separate human confirmation naming the exact device, label, flow, integration, or API path before any delete or raw proxy request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest says the skill is for managing organizations, but the body exposes much broader administrative capability over devices, labels, flows, integrations, and even raw proxy requests. This scope mismatch can cause the orchestration layer or user to invoke the skill under narrower assumptions than its actual power, increasing the chance of unintended high-privilege actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description 'Use when the user wants to interact with Helium data' is overly broad and can match many unrelated or read-only requests, despite the skill supporting write and delete operations. Over-broad routing increases the risk that an agent selects this skill in contexts where the user did not intend administrative or destructive Helium actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents destructive operations such as deleting flows, integrations, labels, and devices without any requirement for confirmation, dry-run, or safety interstitial. In an agent setting, this can translate into accidental irreversible changes if the model interprets a user request too aggressively or acts on ambiguous instructions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal