ClawHub

Knowfirst

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real KnowFirst/Membrane integration, but it grants broad authenticated API access with unclear boundaries and weak safeguards for write or raw proxy actions.

Install only if you trust Membrane and intend to let an agent use your KnowFirst account. Require the agent to show the exact action, endpoint, HTTP method, and payload before any write, delete, file, user-management, or raw proxy request, and avoid sending unnecessary private business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest advertises broad capabilities such as managing organizations, activities, notes, files, pipelines, and users, but the body of the skill only documents a much narrower KnowFirst surface focused on projects/documents/search and a small set of business-tracking actions. This mismatch can cause an agent to invoke the skill under false assumptions and then fall back to raw proxy/API behavior, increasing the chance of unintended access attempts or unsafe operations.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The overview lists entities like Project and Document, while the later documented actions are about businesses, feeds, and tracking. These contradictory descriptions make the operational scope ambiguous, which can mislead an agent into selecting incorrect actions or making broad proxy requests against endpoints that were not clearly intended.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description is overly broad and could cause the skill to be selected for generic requests involving 'KnowFirst data' without clear task boundaries. Over-broad routing increases the chance that an agent will use this skill in contexts involving sensitive reads or writes that the user did not specifically intend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages direct proxy requests with arbitrary HTTP methods, headers, body data, query parameters, and path parameters, but it does not require user confirmation, endpoint allowlisting, or warn about data exfiltration and destructive operations. In practice, this gives an agent a generic authenticated request primitive that could read, modify, or delete remote data beyond the safer prebuilt actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal