ClawHub

Chargebee

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Chargebee/Membrane integration, but it gives an agent broad billing and destructive account authority without enough scoping or confirmation guidance.

Install only if you intend to let an agent administer Chargebee through Membrane, not just look up customers. Use a least-privilege or sandbox Chargebee connection where possible, verify the Membrane CLI package/version before global installation, and require manual approval before refunds, invoice voids, customer deletion, subscription cancellation, pricing changes, or raw proxy requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and description say the skill is for managing customers, but the documented capabilities include subscription, invoice, item price, refund, void, and other billing operations. This scope mismatch can cause an orchestrator or user to invoke the skill under the assumption it is low-risk customer management, when it actually enables materially broader financial actions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The proxy request section explicitly allows arbitrary API requests to Chargebee through Membrane, which bypasses the narrower set of listed actions and effectively grants broad API reach. In a skill presented as customer management, this hidden expansion of capability is dangerous because it permits unbounded operations, including sensitive or destructive ones, beyond what the manifest suggests.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation guidance says to use the skill when the user wants to interact with Chargebee data, which is overly broad and does not constrain when the skill should be selected. Broad trigger conditions increase the chance the agent invokes a high-privilege billing skill in ambiguous situations, exposing sensitive data or enabling unintended actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises destructive actions such as canceling subscriptions, deleting customers, refunding invoices, and voiding invoices without any warnings, confirmation requirements, or guidance about irreversible consequences. In a billing context, missing safeguards can lead to accidental financial loss, service disruption, or compliance issues if an agent executes these actions too readily.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal