ClawHub

Comms Hub Bridge

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it connects to a preconfigured external bridge and grants broad messaging, file upload, message deletion, and bridge-wide visibility without clear access controls or confirmations.

Install only if you intend to use this specific Comms Hub style of shared agent bridge. Replace config.json with a hub you control, verify authentication and authorization on the server, avoid automatic processing of bridge messages, and require explicit user approval before uploading files or acknowledging/deleting messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill explicitly relies on environment variables for hub connection details and agent identity, but no permissions are declared to signal that environmental data may be consumed. This creates hidden capability and review gaps: operators may invoke the skill without realizing it can read deployment-specific configuration and communicate externally using those values.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description frames the capability as agent messaging and coordination, but the documented commands also expose broader operational visibility such as health checks, bridge-wide message retrieval, and global state inspection. That mismatch can cause overbroad invocation and surprise data access, especially if users expect only inbox/send behavior and not potentially system-wide enumeration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client exposes an `allMessages` operation that retrieves `/api/bridge/all-messages`, enabling any user of this tool to enumerate messages beyond their own inbox. In a multi-agent bridge, this breaks least-privilege expectations and can expose sensitive cross-agent prompts, credentials, or coordination data if the server permits the request.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `state` method requests `/api/bridge/state`, exposing full bridge state inspection that exceeds the stated purpose of agent-to-agent messaging. This can reveal topology, metadata, or operational details useful for reconnaissance and abuse, especially in a shared multi-agent environment.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation text is broad enough to trigger on generic communication or coordination tasks, increasing the chance the agent will select this skill in situations where external messaging, file transfer, or bridge polling is unnecessary. In this context, over-triggering is risky because the skill reaches a shared network service and can expose or alter cross-agent data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown documents file upload and message acknowledgment/deletion operations without warning that these actions can permanently remove queue items or transfer local files to a shared service. That omission increases the likelihood of accidental destructive actions or unintended data disclosure by users and agents treating the commands as routine.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The upload function reads an arbitrary local file and transmits its contents to the remote hub with no confirmation prompt, allowlist, size/type checks, or warning about exfiltration. In an agent skill whose purpose is cross-machine coordination, this increases the risk of accidental disclosure of secrets, local documents, or system files.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```
Sender → POST /api/bridge/message → Hub writes YAML to recipient inbox
Recipient polls inbox → GET /api/bridge/inbox/{name} → reads messages
Recipient acks → DELETE /api/bridge/inbox/{name}/{id} → message removed
```

## Network Reference
Confidence
87% confidence
Finding
DELETE /api/bridge/inbox/{name}/{id}

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal