ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed B2B prospecting and outreach integration, but users should understand it uses paid APIs, sends outreach emails, stores an API key if approved, and emits limited analytics by default.

Before installing, confirm you are comfortable giving this skill authority to use an OKKI Go API key, spend credits or EDM quota after confirmations, and send outbound business emails only after you approve recipients and content. Prefer platform-managed secrets over shell profiles or local plaintext files, and set OKKIGO_ANALYTICS_DISABLED=1 if you do not want local skill analytics sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions, yet the content clearly instructs use of shell commands (`bash`, `curl`, `jq`) and local file access. This creates a transparency and sandboxing gap: a host may permit the skill under a lower-trust model than its actual capabilities warrant, increasing the chance of unintended command execution and secret/file access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is prospecting and outreach, but the skill also handles API-key resolution from multiple stores, local credential persistence, telemetry, updater/installer behaviors, and local environment inspection. This broadens the trust boundary substantially beyond what a user would reasonably expect from a business search tool, creating risk of secret exposure, unwanted persistence, and hidden data flows.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes an account signup and API-key provisioning workflow, including legal-consent capture, email submission, and code verification, which goes beyond simple use of an existing business account. While not inherently malicious, it expands the scope to identity onboarding and secret issuance, increasing privacy and abuse risk if triggered unexpectedly or in the wrong context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill reads API keys from multiple locations and instructs writing persistent credentials to local config files and shell profiles. Persisting long-lived secrets outside a platform secret manager increases the blast radius of compromise through local malware, other tools, accidental backups, or transcript/log leakage.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The resolver emits analytics about API-key configuration state, install ID, runtime, version, and credential source, which is unrelated to core prospecting functionality. Even if it avoids sending the key itself, this metadata can still fingerprint installations and reveal sensitive operational details without being strictly necessary.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The API-key resolver performs unrelated outbound telemetry while handling credential discovery, sending install_id, runtime, skill version, and credential source to a remote analytics endpoint. Even though it does not transmit the API key itself, coupling secret-resolution code with network egress creates unnecessary privacy and supply-chain risk, and can reveal when credentials are configured or missing.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The helper enumerates account-level Accio configuration locations to discover credentials, then reports installation analytics based on what it finds. This expands the script's access scope beyond a simple environment-variable lookup and leaks metadata about local account structure and credential provenance, which is more invasive than the skill description suggests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently performs an asynchronous analytics POST without any user-facing notice at execution time, while operating in a sensitive credential-resolution context. Undisclosed network transmission undermines user trust and can expose operational metadata such as install identifiers and whether credentials are present.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
OKKIGO_INSTALL_ID="${OKKIGO_INSTALL_ID:-$(cat "${XDG_CONFIG_HOME:-$HOME/.config}/okki-go/install-id" 2>/dev/null || true)}" && \
curl -s -X POST "${OKKIGO_BASE_URL:-https://go.okki.ai}/api/v1/auth/register-email" \
  ${OKKIGO_INSTALL_ID:+-H "X-Okki-Install-Id: $OKKIGO_INSTALL_ID"} \
  -H "X-Okki-Skill-Version: ${OKKIGO_SKILL_VERSION:-1.0.13}" \
  -H "X-Okki-Skill-Runtime: ${OKKIGO_SKILL_RUNTIME:-agent}" \
Confidence
93% confidence
Finding
curl -s -X POST "${OKKIGO_BASE_URL:-https://go.okki.ai}/api/v1/auth/register-email" \ ${OKKIGO_INSTALL_ID:+-H "X-Okki-Install-Id: $OKKIGO_INSTALL_ID"} \ -H "X-Okki-Skill-Version: ${OKKIGO_SKILL_VE

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
OKKIGO_INSTALL_ID="${OKKIGO_INSTALL_ID:-$(cat "${XDG_CONFIG_HOME:-$HOME/.config}/okki-go/install-id" 2>/dev/null || true)}" && \
curl -s -X POST "${OKKIGO_BASE_URL:-https://go.okki.ai}/api/v1/auth/verify-email" \
  ${OKKIGO_INSTALL_ID:+-H "X-Okki-Install-Id: $OKKIGO_INSTALL_ID"} \
  -H "X-Okki-Skill-Version: ${OKKIGO_SKILL_VERSION:-1.0.13}" \
  -H "X-Okki-Skill-Runtime: ${OKKIGO_SKILL_RUNTIME:-agent}" \
Confidence
91% confidence
Finding
curl -s -X POST "${OKKIGO_BASE_URL:-https://go.okki.ai}/api/v1/auth/verify-email" \ ${OKKIGO_INSTALL_ID:+-H "X-Okki-Install-Id: $OKKIGO_INSTALL_ID"} \ -H "X-Okki-Skill-Version: ${OKKIGO_SKILL_VERS

Session Persistence

Medium
Category
Rogue Agent
Content
2. **Local credentials file fallback** (macOS / Linux): Save the key to a user-only JSON file. Prefer this over shell profiles for desktop agents because many agent apps do not load `.zshrc` or `.bashrc`.

   ```bash
   mkdir -p "$HOME/.config/okki-go"
   umask 077
   printf '%s\n' '{"apiKey":"sk-xxxxxxxxxxxxxxxxxxxx"}' > "$HOME/.config/okki-go/credentials.json"
   chmod 600 "$HOME/.config/okki-go/credentials.json"
Confidence
98% confidence
Finding
mkdir -p "$HOME/.config/okki-go" umask 077 printf '%s\n' '{"apiKey":"sk-xxxxxxxxxxxxxxxxxxxx"}' > "$HOME/.config/okki-go/credentials.json" chmod 600 "$HOME/.config/okki-go/credentials.json"

VirusTotal

1/65 vendors flagged this skill as malicious, and 64/65 flagged it as clean.

View on VirusTotal