ClawHub

Spotlightr

Security checks across malware telemetry and agentic risk

Overview

This Spotlightr skill is not clearly malicious, but it gives an agent broad authenticated control over a Spotlightr/Membrane connection without enough limits or approval guidance.

Install only if you are comfortable delegating broad Spotlightr access through Membrane. Use the least-privileged account available, review the Membrane CLI before installing it globally, and require explicit confirmation before any write, delete, billing, API-key, user-management, or security-setting action. Static scan found no executable-pattern issues and VirusTotal was still pending, so this Review verdict is based on the skill text and its broad authenticated authority rather than malware evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises a narrow capability set ('Organizations, Users, Goals, Filters'), but the body documents a much broader integration model with arbitrary action discovery and execution. This scope mismatch is dangerous because routing, approval, or user trust decisions may be made from the manifest while the actual skill can perform materially broader operations than expected.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation enumerates an extremely broad set of entities and CRUD-like capabilities far beyond the declared purpose, effectively turning the skill into a general-purpose Spotlightr operator. In context, this increases the chance of overbroad invocation and misuse, especially where downstream systems assume the skill is limited to a few administrative objects.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Direct arbitrary API proxying gives the agent a generic authenticated request primitive that can bypass the safety and field constraints of curated actions. Given the manifest's narrow stated purpose, this materially expands the attack surface to potentially any endpoint, including destructive or sensitive operations, with little visibility or policy enforcement.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text 'Use when the user wants to interact with Spotlightr data' is broad enough to match many routine requests, encouraging this high-capability skill to activate in situations where a narrower or read-only workflow would be safer. Because the skill can search actions and issue proxy requests, overbroad matching increases the likelihood of unnecessary privileged execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs the agent how to run actions and pass arbitrary JSON input, but does not warn about or constrain destructive operations. In a skill with broad action discovery, this omission can normalize unsafe execution patterns and lead to unintended writes, deletions, or configuration changes without adequate user awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal