ClawHub

Voyage AI CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Voyage AI and MongoDB Atlas CLI guide, with expected but sensitive API, database, and global CLI setup behaviors users should handle carefully.

Before installing, verify the voyageai-cli npm package and publisher. Use least-privilege Voyage AI and MongoDB credentials, avoid placing real API keys directly in shell history, and test store, ingest, index create, and index delete commands on non-production databases first. Do not embed or ingest sensitive documents unless you intend for their text and metadata to be processed by the configured external services and stored in Atlas.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The environment variable table incorrectly states that `VOYAGE_API_KEY` is obtained from MongoDB Atlas, even though it is the credential used for Voyage AI API access. This can mislead users into supplying the wrong secret, cause authentication confusion, and increase the chance of mishandling or over-sharing credentials across services.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger list includes generic phrases such as embedding- and similarity-related requests that could match common user intents beyond this specific tool. In an agent environment, overly broad triggers can cause the skill to activate unexpectedly, leading to unintentional transmission of user content to external APIs or database operations when the user did not explicitly request this integration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes embedding, reranking, storage, and vector search workflows without clearly warning that prompts, documents, and metadata may be sent to Voyage AI and/or stored in MongoDB Atlas. In agent use, this omission can cause sensitive user data to be transmitted or persisted without informed consent, especially because the skill supports bulk ingest and database writes.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal