ClawHub

Crewai Team

Security checks across malware telemetry and agentic risk

Overview

This PRD-generation skill is mostly coherent, but it ships runnable scripts with a hard-coded external LLM API key and forced provider endpoint.

Review before installing. Remove the embedded API key from every script, rotate that key if it was real, configure your own provider credentials through environment variables, and avoid submitting confidential product ideas unless you accept sending them to the configured LLM service. Run dependency installation in an isolated environment and review generated logs or PRD files before sharing them externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (65)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises executable workflows that read environment-based API keys and write generated output to local files, but it does not declare corresponding permissions. This creates a transparency and consent problem: users or hosting platforms may run the skill without realizing it accesses secrets and modifies the filesystem.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is PRD generation, but the described behavior also includes use of external model services, possible web search, local file output, and handling of API credentials. This mismatch is dangerous because users may provide sensitive product ideas or internal data without understanding that the content could be transmitted to third-party services or persisted locally.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The PRD simultaneously promises a zero-knowledge, local-only secret model and defines server-side services for integration management, monitoring, logging, storage, and execution that would likely process credentials or sensitive API payloads in practice. This kind of architectural contradiction is dangerous because it can cause developers and users to rely on false security assumptions, leading to secret exposure through backend transit, logs, storage, or operational tooling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes an external LLM API key and base URL directly in source code, then injects them into process environment variables at runtime. This exposes a live secret to anyone with repository or artifact access and enables unauthorized use of the external service, billing abuse, and downstream data exposure when user prompts are sent off-host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes a live API key and configures an external API endpoint directly in code. This exposes a credential to anyone with file access or repository visibility and enables unauthorized use of the external service, billing abuse, and possible access to sensitive prompts and outputs sent through that account.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to perform local product-analysis/PRD generation, but it also rewrites process-wide environment variables for model access. This hidden global configuration changes runtime behavior for the entire process and can redirect downstream components to an external service without clear user consent, increasing data exposure and operational unpredictability.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes an API key and configures an external LLM endpoint directly in source code. This exposes a reusable secret to anyone with access to the repository or packaged skill and can enable unauthorized use of the external service, billing abuse, and unintended data transfer to a third-party endpoint.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hard-codes a live external LLM credential and endpoint directly in source, which exposes the secret to anyone with file access and enables unauthorized API use against a third-party service. In this skill context, outbound LLM access is expected for PRD generation, but embedding the credential in code is still dangerous because it turns the repository itself into a secret distribution channel and makes abuse, billing loss, and account compromise more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hard-codes an external API key directly into source code and configures it at runtime. This is dangerous because anyone with access to the file can reuse the credential against the third-party service, leading to unauthorized API usage, billing abuse, and possible access to data handled through that provider; the skill’s PRD-generation purpose does not require shipping a secret in code, which makes the exposure unjustified.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script embeds a live external API credential directly in source code and couples it to a remote endpoint. In a shared skill, repository, or packaged agent environment, anyone with file access can extract and reuse the key, leading to unauthorized API consumption, billing abuse, and possible access to upstream model capabilities under the owner's account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a live API key directly in source code and forcibly sets a fixed external API endpoint at runtime. This exposes credentials to anyone with code access and causes automatic outbound data transfer to a third-party service, which is especially risky because user-supplied product ideas and generated PRD content may contain sensitive business information.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comment states that an already configured API key is being used, but the code actually overrides environment variables with hardcoded values. This mismatch is dangerous because it hides the true credential source and network destination from users and reviewers, undermining trust and making accidental secret exposure or undisclosed data egress more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A live API key is hard-coded directly in source and then installed into process-wide environment variables. This exposes a secret to anyone with code access, enables credential theft and unauthorized API usage, and makes downstream accidental leakage through logs, debugging, or child processes more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file hardcodes a live external API credential and unconditionally forces global OpenAI-compatible endpoint settings for the whole process. This exposes a reusable secret to anyone with code access and can redirect unrelated model traffic in the runtime to the configured third-party endpoint, creating credential leakage, billing abuse, and unintended data exfiltration risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file hardcodes a live external API key and configures the runtime to use it automatically, even though the skill’s purpose is PRD analysis rather than secret management. This exposes the credential to anyone with file access and enables unauthorized use of the vendor account, billing abuse, and downstream compromise of any data sent through that key.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file hardcodes a live external API key and service endpoint directly in source code, which creates an immediate secret-exposure risk through source control, logs, packaging, or downstream reuse. In this skill context, the secret is especially dangerous because the code is meant to be run by an agent framework and the credential is then used to access an external LLM service, enabling unauthorized usage, billing abuse, and possible access to sensitive prompts or generated content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as a PRD/requirements-analysis tool, but it also provisions a full code-generation/development agent and corresponding task. This scope expansion is dangerous because users may provide sensitive product or internal design information expecting analysis only, while the skill is actually set up to generate implementation guidance and potentially facilitate downstream coding workflows beyond the declared purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A live external API credential and remote endpoint are hard-coded directly in the source file. This is dangerous because anyone with access to the skill code can reuse the credential, incur charges, access linked services, and route potentially sensitive user inputs to a third-party endpoint without secure secret management.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file hardcodes what appears to be a real DashScope API key and then exports it into process environment variables. This exposes a live credential to anyone with source access and enables unauthorized API use, billing abuse, and downstream compromise of any services tied to that account.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document encourages saving generated PRD content locally and sending it to Feishu without any warning about sensitive business data, customer information, or confidential roadmap material that may be contained in the output. In this skill context, that omission is meaningful because the workflow is explicitly designed to process product requirements and distribute the results, increasing the likelihood of accidental data leakage to local files or third-party collaboration platforms.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The guide includes a curl example that places the API key directly in the command line Authorization header. Even though the placeholder is not a real secret, users are likely to replace it with a live key, which can expose credentials via shell history, process listings, screen recordings, or copied terminal logs.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The guide instructs users to copy secrets into a local .env file and use them for external API calls, but it does not clearly warn that the key will be stored on disk and transmitted to third-party services. In a multi-agent skill context, this omission can cause users to expose credentials more broadly than they realize, especially if the workspace is shared, synced, or later committed accidentally.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The scraping example introduces a website fetch tool without warning that it will initiate outbound connections and process untrusted remote content. In an agent framework, this matters because users may enable the tool assuming it is local-only, while it can contact arbitrary sites and ingest attacker-controlled data into downstream prompts or outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to save and inspect complete discussion logs, including each role's full outputs and context passing, but provides no warning or controls for sensitive data exposure. In a multi-agent workflow that discusses product requirements, API integrations, and possibly credentials or internal prompts, these logs can inadvertently store secrets, proprietary business context, or personal data on disk where they may be read by other local users, synced to cloud backup tools, or committed to source control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The PRD explicitly states that API keys will be persisted in browser LocalStorage. LocalStorage is accessible to any JavaScript running in the page, so an XSS bug, malicious dependency, browser extension, or shared-device access could expose long-lived credentials. In this skill context, the app is specifically handling developer secrets for API connectivity, which makes insecure client-side storage more dangerous than generic non-sensitive preferences.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal