ClawHub

Slybroadcast

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Slybroadcast integration, but it gives broad authenticated control over voice-broadcasting actions with unclear scope and limited user-control guidance.

Install only if you intend to let an agent operate your Slybroadcast account through Membrane. Require explicit approval before any broadcast, recipient-list change, credit-affecting action, deletion, or raw proxy request, and verify recipients, message content, timing, and costs before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest description advertises broad CRM-style capabilities that do not match the actual Slybroadcast-focused implementation. This mismatch can cause the agent to invoke the skill for unrelated requests and then use direct API/proxy capabilities against an external service under false assumptions, creating a scope-confusion risk and potential unintended data access or actions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The top-level manifest/documentation contradicts the rest of the file about what system the skill targets. In agent settings, contradictory identity and scope information is dangerous because routing and trust decisions may rely on the manifest, leading the skill to be selected in the wrong context and to operate on an external integration the user did not intend.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is overly broad, so many loosely related user requests about 'Slybroadcast data' could trigger the skill even when a narrower or safer tool should be used. Over-broad routing increases the chance of unnecessary external calls, over-collection of data, or execution of actions beyond the user's precise intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents a generic direct API proxy path to the external service without requiring an explicit user warning or confirmation before sending data. That makes it easier for an agent to transmit user content, identifiers, or other sensitive information to Slybroadcast through arbitrary endpoints without clear user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal