ClawHub

R2 Storage

Security checks across malware telemetry and agentic risk

Overview

The skill provides the advertised Cloudflare R2 storage commands, but it ships with hardcoded R2 credentials and a specific account endpoint that could expose or let users operate on someone else's storage account.

Review before installing. Do not use this as-is unless you own or are explicitly authorized to use the embedded R2 account. The publisher should remove the hardcoded credentials and endpoint, rotate the exposed keys, require explicit user-provided credentials, and add warnings or confirmation around delete and sharing-link operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates it reads credentials from environment variables, but it does not declare any corresponding permissions or security expectations. Hidden access to environment-sourced secrets is risky because agents may invoke the skill without understanding it can consume sensitive credentials and operate on external storage.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill claims generic R2 management, but the description says defaults are pre-configured for a specific account, implying built-in or ambient access to a real remote storage environment. That mismatch is dangerous because a user may believe they are operating only with their own supplied credentials while the skill can instead access someone else's account or a hardcoded endpoint by default.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes a specific Cloudflare R2 endpoint and default access credentials, which means anyone running it without overriding environment variables may connect to and operate on a real remote storage account. In an agent skill context, this is especially dangerous because the tool is presented as a generic storage helper but can silently enable unauthorized access, data exfiltration, modification, or deletion against a fixed third-party account.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill advertises object deletion but does not warn that delete operations may be irreversible and can cause permanent data loss. In an agent context, destructive actions without clear safeguards increase the chance of accidental or unauthorized deletion of important storage objects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The credential section states that defaults are pre-configured for a specific account without any warning about secret handling, account ownership, or authorization boundaries. This normalizes use of ambient/shared credentials and can lead to unauthorized access, unintended data exposure, or operations against a third-party storage account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal