ClawHub

Upstash Redis

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Upstash Redis integration, but it gives broad authenticated API access that could modify or delete Redis data without clear confirmation guardrails.

Install only for an Upstash Redis account you intend the agent to access. Prefer read-only discovery actions first, require explicit confirmation before writes, deletes, bulk changes, or raw proxy calls, review the Membrane CLI install/version, and revoke the Membrane connection when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents a generic proxy request mechanism supporting mutating HTTP methods like POST, PUT, PATCH, and DELETE without any warning about destructive effects, confirmation requirements, or least-privilege usage. In a Redis/data-management context, this can lead an agent to modify or delete production data through raw API calls more easily than intended, especially when bypassing safer pre-built actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal