ClawHub

Loopmessage

Security checks across malware telemetry and agentic risk

Overview

This LoopMessage skill is not malicious, but it needs review because it can use authenticated access to read or change messaging/account data beyond its narrow description.

Install only if you intend to let an agent connect to LoopMessage through Membrane. Prefer curated Membrane actions, use a least-privilege account where possible, and require explicit approval for raw proxy requests, especially before sending, editing, or deleting messages, users, organizations, or conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises a narrower scope ('Manage Users, Organizations') than the body of the skill, which also enables conversations, messages, and raw API access. This scope mismatch can cause an agent or user to invoke the skill under false assumptions and then perform broader operations than expected, including data access or modification outside the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The overview expands the skill's effective scope to message and conversation operations that are not reflected in the manifest. In an agent setting, undocumented expansion of capability increases the chance of unintended access to communication data or message-sending actions when the skill is selected for a seemingly narrower task.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The proxy request feature effectively grants arbitrary API access through authenticated credentials, bypassing the safety of curated actions and allowing access beyond the stated skill purpose. Because it supports general paths and multiple HTTP methods, it can be used to read, modify, or delete resources the user did not expect this skill to handle.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance 'Use when the user wants to interact with LoopMessage data' is overly broad and may cause the skill to be selected for many requests without sufficient scoping. Over-broad routing increases the likelihood that an agent reaches a powerful integration, including raw API features, when a narrower or read-only workflow would have been more appropriate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation presents direct proxy access with destructive HTTP methods like POST, PUT, PATCH, and DELETE without any caution, approval requirement, or mention of irreversible effects. In an autonomous or semi-autonomous agent context, that omission materially raises the risk of accidental data modification, message sending, or deletion through a highly privileged channel.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal