ClawHub

Preny Analytics

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Preny analytics tool, but it needs review because it asks users to handle powerful Preny tokens unsafely and includes under-disclosed tools that can read and reply to customer conversations.

Install only if you trust the publisher and intentionally want an agent to access Preny business/customer data. Prefer an official scoped API credential over a copied browser session token, avoid storing the token permanently in shell startup files, and do not use the conversation reply helper unless you explicitly want the skill to send customer-facing messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as sales analytics, but the detected behavior includes access to detailed conversations, customer contact data, and the ability to send replies through the API. That mismatch is dangerous because users may authorize it expecting read-only analytics while it can process PII and take write actions on customer conversations, expanding both privacy and integrity risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as sales-data analytics, but it also exposes direct conversation-listing functionality that can reveal customer names, channels, and message previews. This expands the data-access scope from aggregate analytics to potentially sensitive customer communications, increasing privacy and least-privilege risk if the skill is installed or approved under the assumption that it only performs reporting.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as analytics-focused, but this script can list conversations, fetch full customer conversation details, and send replies as an agent. That expands the capability from passive analytics into active customer-support operations, increasing the chance of unauthorized actions, social engineering, or misuse of customer communications under the wrong trust assumptions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code explicitly instructs users to recover a live bearer token from the Preny web app via browser DevTools and paste it into the environment. That is a credential-acquisition workflow outside the stated analytics purpose, and it normalizes insecure handling of session/API credentials that could grant broad access if copied, logged, or reused improperly.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script explicitly instructs users to open browser DevTools and copy a Bearer token from live application traffic for reuse in a local shell environment. That encourages extraction and long-lived handling of a sensitive session/API credential outside its intended context, increasing the risk of credential theft, accidental disclosure in shell history, logs, screenshots, or reuse beyond least-privilege access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to export a sensitive API token but provides no guidance on secure storage, scope minimization, rotation, redaction, or privacy implications of sending customer data to the external service. This increases the risk of credential leakage and unauthorized access to potentially sensitive sales and customer interaction data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to store a live authentication token in shell environment variables and append it to ~/.bashrc for persistence. This increases exposure through shell history, process/environment leakage, backups, and long-term retention of a credential that grants access to business data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The console workflow prints the bearer token directly to the screen, which can expose it via shoulder-surfing, screen recording, browser console persistence, or support screenshots. Because the token appears to grant access to enterprise sales data, disclosure could enable unauthorized API access until expiry or revocation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script retrieves and prints customer name, phone number, email, and message history directly to the terminal without any privacy notice, masking, minimization, or access control in the script itself. In a shared terminal, logs, recordings, or agent environment, this can expose sensitive customer data more broadly than necessary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The help text tells users to extract an Authorization bearer token from DevTools but does not warn that the token is highly sensitive and may provide direct access to account data. This increases the chance that users mishandle credentials, expose them in terminal history, screenshots, logs, or shared support channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script tells users to extract an Authorization bearer token from DevTools but provides no warning that the token is sensitive, potentially equivalent to account access, and should be handled as a secret. Users may paste it into terminals, shell profiles, chat, or shared documentation, making compromise more likely even if the script itself does not exfiltrate the token.

Ssd 3

High
Confidence
99% confidence
Finding
The error/help path actively coaches users to retrieve a live bearer token from browser network traffic, which is effectively teaching credential extraction from an authenticated web session. In this skill context, that is more dangerous because the skill's business purpose is analytics, yet it conditions users to bypass proper auth provisioning and handle powerful tokens unsafely.

Ssd 3

High
Confidence
98% confidence
Finding
The instructions normalize copying a live authorization token from browser DevTools for reuse in another tool, which bypasses proper secret issuance and teaches an unsafe credential-handling pattern. In the context of an analytics skill, this is more dangerous because the stated purpose does not require browser-session scraping, so users are being pushed toward a risky workaround that could expose broad account access.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal