ClawHub

Sessions

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because its service scope is inconsistent and it allows broad authenticated proxy requests beyond the stated Sessions integration.

Review carefully before installing. Confirm which Sessions product and connector this is meant to control, prefer Membrane's discovered actions over raw requests, avoid full-URL proxy calls, and require explicit approval before any POST, PUT, PATCH, DELETE, export, file access, or request outside the intended Sessions API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill metadata and body describe different products and data models: the manifest says it manages Sessions, Persons, Organizations, Notes, and Files, while the content describes a session replay/message model. This mismatch can cause the agent to invoke the skill in the wrong context, misunderstand what data or actions are in scope, and make unsafe or incorrect requests against an external system.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is presented as a scoped Sessions-data integration, but it explicitly allows arbitrary direct HTTP requests and even full-URL requests 'as-is'. That breaks the declared trust boundary and can be abused to reach unintended endpoints, perform unreviewed actions, or use the agent as a generic network client beyond the stated integration scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Permitting full arbitrary URL requests is unnecessary for a skill whose stated purpose is interacting with Sessions data. This expands capability far beyond user expectations and increases the risk of SSRF-like behavior, data exfiltration, or misuse of authenticated network access through Membrane.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation description is broad enough that the skill may activate on ordinary references to 'Sessions data' without clear user intent to use this specific external integration. Over-broad triggering increases the chance of unnecessary external calls, unintended data access, or routing user requests into a more privileged tool than needed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal