ClawHub

Starton

Security checks across malware telemetry and agentic risk

Overview

This Starton skill is not clearly malicious, but it gives an agent broad authenticated access to sensitive Starton and blockchain operations with weak scoping.

Install only if you trust Membrane and need agent-assisted Starton administration. Use the least-privileged Starton/Membrane connection available, review granted permissions, and require explicit approval before API key, role, wallet, transaction, write, delete, or raw proxy operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest frames the skill as managing Projects, Users, and Roles, but the body documents a much broader integration surface including wallets, NFTs, transactions, storage, and arbitrary API proxying. This mismatch can cause the agent-selection layer and users to underestimate the privilege and data-access scope of the skill, increasing the chance of unintended use on sensitive Starton resources.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill exposes a generic authenticated proxy request mechanism that permits arbitrary Starton API access beyond the narrowly declared management purpose. In an agent context, this materially expands the attack surface because any prompt that reaches this skill could be transformed into broad authenticated actions against the external service, bypassing safer action-level constraints and discoverability.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text 'Use when the user wants to interact with Starton data' is overly broad and can cause the skill to trigger on vague or generic requests. Because the skill supports authenticated external operations, broad routing criteria raise the likelihood of accidental invocation and overbroad access relative to the user's actual intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal