ClawHub

Pennylane

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad authenticated Membrane access under a confusing Pennylane/PennyLane description.

Install only if you intentionally want an agent to use Membrane with a Pennylane account and you understand which Pennylane service is being connected. Require explicit approval before creating connectors or running any POST, PUT, PATCH, DELETE, or raw proxy request, and revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest presents this as a Pennylane-specific integration, but the body of the skill is a generic Membrane connection/action/proxy wrapper that can be used beyond that scope. This mismatch can cause an agent to invoke the skill under false assumptions and then gain broader networked capabilities than the user reasonably expected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The raw proxy request feature enables arbitrary HTTP requests through Membrane using established credentials, which materially expands capability beyond a narrowly scoped Pennylane skill. If an agent is induced to use it, this can bypass intended guardrails, access unexpected endpoints, or perform unsafe state-changing operations against connected services.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The connection workflow allows finding or creating connections by arbitrary app URL or domain, which exceeds the stated Pennylane-specific purpose. In practice, this can turn the skill into a generic app-connection bootstrapper and let an agent pivot into unrelated external systems.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation condition is broad enough that an agent may select this skill for loosely related requests, increasing unnecessary exposure to connection creation, action discovery, and proxy features. Overbroad routing language is dangerous in capability-bearing skills because it increases the chance of accidental misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal