ClawHub

Power Automate Build

Security checks across malware telemetry and agentic risk

Overview

The skill is legitimate documentation for building Power Automate flows, but it gives an agent enough live automation authority that users should review deployments carefully before use.

Install only if you trust FlowStudio MCP and intend to let an agent create or change live Power Automate flows. Before deployment, require the agent to show the target environment, exact flow ID or creation plan, generated definition or diff, trigger type and exposure, connector accounts, and any callback or SAS-bearing URLs; prefer non-production testing and least-privileged credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

High
Confidence
96% confidence
Finding
The REST MERGE example explicitly recommends `IF-MATCH: *`, which disables ETag-based concurrency protection and forces an overwrite regardless of intervening changes. In a skill designed to scaffold and deploy live Power Automate flows, this can normalize unsafe update patterns that cause silent data loss or overwrite another process's changes in SharePoint lists.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The child-flow example embeds a full HTTP trigger URL containing a SAS token (`sig=...`), which is effectively a bearer secret for invoking the flow. In documentation for a build/deploy skill, this is dangerous because users may copy the pattern verbatim, hardcode real trigger URLs into source-controlled flow definitions, or expose them in logs and run history, enabling unauthorized invocation of downstream automation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The HTTP-trigger example exposes a request endpoint that accepts arbitrary inbound data and directly reflects submitted fields in the response without any warning about trust boundaries, authentication, or validation. In a skill specifically designed to help users build and deploy Power Automate flows, this pattern can be copied into production and unintentionally create a publicly reachable echo endpoint that facilitates data disclosure, abuse, or unsafe downstream extension.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly recommends an HTTP Request trigger with an empty schema (`"schema": {}`) to accept arbitrary JSON and says to use it for external webhooks, but it provides no warning about input validation, authentication, replay protection, or exposure of the callback URL. In this skill's context—building and deploying Power Automate flows automatically—this guidance can directly lead agents or users to create internet-reachable endpoints that trust unvalidated input, increasing the risk of malicious payloads, logic abuse, and downstream action misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal