ClawHub

Rafflys

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Rafflys integration, but it gives broad authenticated API access that can change or delete Rafflys data without clear safeguards.

Install only if you trust Membrane and the Rafflys account connection you will grant. Use the least-privileged Rafflys account available, prefer listed Membrane actions over raw proxy requests, and require explicit approval before any POST, PUT, PATCH, DELETE, user, organization, or workflow-changing action. Revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest advertises a narrow management scope, but the body of the skill enables broad action discovery, arbitrary action execution, and direct proxied API access. This mismatch can cause the agent to invoke the skill in situations broader than users expect, increasing the chance of over-privileged operations or unintended access to Rafflys resources.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is broad enough that the skill may be selected for vague requests involving Rafflys data, even when the user did not intend broad operational or administrative access. In context, that is more dangerous because the skill exposes generic action enumeration and execution, so over-triggering can lead to unnecessary access or unintended mutations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents direct proxy access with GET, POST, PUT, PATCH, and DELETE but does not require confirmation, scope restrictions, or warnings about irreversible changes. In a connected SaaS environment, this materially raises the risk of accidental or unauthorized data modification, deletion, or workflow disruption through generic API calls.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal