ClawHub

Nota Sign

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Nota Sign e-signature helper, but it sends selected documents and signer details to Nota Sign and stores sensitive credentials locally.

Install only if you are comfortable letting this skill send the selected document and signer names/emails to Nota Sign. Use UAT for testing, verify the file, signer emails, region, and environment before sending, protect ~/.notasign/config.json with strict permissions, and prefer a trusted local Node.js 18+ runtime over the npm fallback in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly performs network access and reads/writes configuration containing credentials, yet no declared permissions are documented. This creates a governance and consent gap: users or platforms may invoke a networked, credential-handling integration without clear visibility into its capabilities, increasing the chance of unintended data transmission or secret exposure through an over-privileged or opaque skill.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explains how to send documents, URLs, signer identities, and store credentials, but it does not clearly disclose that document contents and signer personal data will be transmitted to an external e-signature provider. In a skill that handles potentially sensitive files and identity data, this omission can lead users to share confidential material without informed consent or appropriate data-handling review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to collect an appKey as a Base64 PKCS#8 RSA private key and write it to a local config file, but it does not require an explicit warning or confirmation before storing that sensitive secret on disk. This can lead to users disclosing high-value private-key material without understanding persistence, local exposure risk, backup/sync propagation, or multi-user machine access implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script collects an App ID, Base64-encoded PKCS#8 private key, and user code, then writes them in plaintext JSON to either a local project file or a home-directory config file. These are long-lived credentials, and storing them unencrypted without a clear warning or restrictive permissions increases the chance of credential theft from disk, backups, shared workspaces, or accidental commits.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function uploads full document contents to a remote presigned URL, and the broader flow also sends document metadata and file references to Nota Sign APIs. In a skill that may be invoked on local files, attachments, or URLs, failing to clearly disclose outbound transfer at execution time can cause users to unintentionally exfiltrate sensitive documents to third-party infrastructure.

Session Persistence

Medium
Category
Rogue Agent
Content
## Workflow

1. Check whether `./notasign-config.json` exists; if not, check `~/.notasign/config.json`.
2. If config is missing, ask only for the missing credential fields and write the config file.
3. If the user wants to switch between `PROD` and `UAT`, do not only flip `environment`. Collect the full target-environment values for `appId`, `appKey`, `userCode`, and `serverRegion`, then rewrite the config.
4. Validate the file input before sending:
   - local path must exist, or
Confidence
94% confidence
Finding
write the config file. 3. If the user wants to switch between `PROD` and `UAT`, do not only flip `environment`. Collect the full target-environment values for `appId`, `appKey`, `userCode`, and `serve

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal