ClawHub

Magento 2 Admin

Security checks across malware telemetry and agentic risk

Overview

This is a real Magento administration skill, but it gives an agent broad production-store power with incomplete guardrails around command inputs and destructive actions.

Install only if you own and administer the Magento server and can review commands before execution. Use dedicated least-privilege SSH, DB, and Magento admin accounts; keep production use non-autonomous; require explicit confirmation for writes, refunds, restores, service restarts, Composer changes, Redis flushes, and DB deletes; validate or quote every substituted value; and redact customer or admin personal data unless full details are explicitly needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims free-form user input is never interpolated into commands, but many templates explicitly instruct replacing placeholders such as EMAIL, USERNAME, SKU, SEARCH_TERM, PATH, VALUE, and SQL fragments. That mismatch is dangerous because an agent may trust the safety claim and pass user-controlled data into shell, SQL, REST, or GraphQL contexts without validation, enabling command, query, or request injection.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The repeated claim in the agent instructions says free-form input is never interpolated, yet the skill contains numerous command templates that require direct substitution into shell commands, SQL strings, and HTTP payloads. This can cause downstream agents to over-trust the skill and execute unsafe operations with attacker-supplied values.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill states it connects only to MAGENTO_HOST and sends nothing to third parties, but it also contacts configurable endpoints like MAGENTO_BASE_URL and MAGENTO_OS_URL. If those variables are misconfigured or attacker-influenced, data and credentials could be transmitted to unintended destinations while the operator believes the skill is constrained.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal