ClawHub

Phos

Security checks across malware telemetry and agentic risk

Overview

This prompt-only Phos skill is not malicious, but it should be reviewed because it delegates authenticated access to Phos through Membrane while its scope and write safeguards are unclear.

Install only if you recognize this Phos service and trust Membrane to mediate authentication and API requests. Use a least-privileged or read-only account where possible, confirm the exact Phos data being accessed, know how to revoke the Membrane connection, and require explicit user approval before any write, delete, automation, or raw proxy request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata frames Phos as a generic data/records/workflow tool, while the body describes a cloud-cost-management SaaS and then grants broad API access patterns through Membrane. This mismatch can cause the agent to invoke the skill in contexts broader than intended and perform sensitive operations against an infrastructure-finance system without clear user understanding.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The proxy request feature allows arbitrary HTTP requests to the Phos API, including potentially state-changing endpoints, which is materially broader than curated managed actions. In an agent setting, this increases the risk of unauthorized reads, writes, deletions, or workflow changes if the model guesses endpoints or acts on ambiguous user instructions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation condition 'use when the user wants to interact with Phos data' is overly broad and can trigger the skill for many ambiguous requests. Overbroad routing is dangerous because this skill can authenticate to an external system and invoke actions or raw API requests that may expose or modify sensitive business records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents direct proxy requests with support for POST, PUT, PATCH, and DELETE but does not warn about destructive effects or require confirmation before mutation. In a tool-using agent, omission of such safeguards can normalize unsafe use of raw API calls and lead to accidental data modification, deletion, or configuration changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal