ClawHub

Cuttly

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed Cuttly connector skill whose URL-shortening and setup behaviors are visible and broadly aligned with its purpose.

Install only if you intend to use Cuttly through the oo CLI. Before running the curl-to-bash installer, review OOMOL's installer or use a safer documented install method, and expect the skill to be able to create short URLs as well as read Cuttly data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest text limits the skill's stated purpose to read-oriented usage ('searching and reading data'). However, the available actions explicitly include `shorten_url`, which creates a new short URL and changes remote state. That is a semantic mismatch between the declared behavior and the documented capability.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description says to use this skill for "ANY Cuttly request" and "Whenever a task involves Cuttly," which is a very broad trigger without clear boundaries or exclusions. In a manifest/markdown context, this can overlap with many ordinary mentions of Cuttly and does not specify when the skill should not activate.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
90% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal