ClawHub

Semgrep

Security checks across malware telemetry and agentic risk

Overview

This Semgrep skill is not malicious, but it gives an agent broad Semgrep account-changing power, including deletion and raw authenticated API calls, without enough scoping or confirmation guidance.

Install only if you trust Membrane and intend to let an agent operate against Semgrep with your account authority. Use the least-privileged Semgrep account available, review the OAuth connection, and require explicit confirmation before deletes, bulk triage, policy changes, tag changes, scan toggles, project updates, or raw proxy requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes the skill narrowly as managing Semgrep rules and scans, but the body documents much broader capabilities including deployments, projects, policies, secrets, and arbitrary API proxying. This mismatch can cause an orchestrator or user to invoke the skill under a false assumption of limited scope, increasing the risk of over-privileged or unexpected administrative actions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The proxy request feature enables arbitrary authenticated requests to the Semgrep API, which is materially broader than the stated purpose of interacting with rules and scans. In practice, this can bypass narrower action boundaries and expose any API operation permitted by the connection, including sensitive reads or destructive writes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented action catalog includes broader administrative and destructive operations such as delete-project, update-policy, bulk-triage, and tag manipulation that are not reflected in the manifest description. This creates a capability-disclosure gap that can mislead users and agents about the true blast radius of using the skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation advertises destructive actions like project deletion and state-changing updates without any requirement for confirmation, dry-run guidance, or warnings about irreversible effects. In an agentic context, omission of such guardrails makes accidental destructive execution significantly more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal