ClawHub

DigitalOcean

Security checks across malware telemetry and agentic risk

Overview

This DigitalOcean skill is mostly coherent, but it includes infrastructure-changing droplet lifecycle operations that are under-disclosed by its read-oriented description and not clearly guarded.

Install only if you are comfortable connecting an OOMOL account to DigitalOcean and letting the agent use the oo connector. Treat droplet reboot, shutdown, and power-cycle requests as production-impacting operations: require an exact droplet ID, action, environment check, and explicit confirmation before running. Review the oo CLI installer source or use a verified installation method instead of blindly piping a remote script to the shell.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and description frame the skill as only for searching and reading data, but the documented actions include `manage_droplet_lifecycle`, which can reboot, shut down, or power cycle infrastructure. This mismatch can mislead an agent or user into invoking a state-changing operation under a read-only trust model, increasing the risk of unintended service disruption.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The safety section requires confirmation for create/update/delete-style actions but does not explicitly cover the documented droplet lifecycle action, even though reboot, shutdown, and power-cycle operations change system state and can cause downtime. That omission weakens guardrails and may lead an agent to execute disruptive actions without explicit user approval.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction to use this skill for ANY DigitalOcean request is overly broad and can cause agents to route both harmless lookups and sensitive operational tasks through the same capability without sufficient narrowing. In the context of a skill that includes a mutating droplet lifecycle action, this broad trigger increases the chance of inappropriate or overly trusted use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill enables destructive infrastructure operations such as reboot, shutdown, and power cycle, but the description and usage guidance do not warn the operator about service disruption, availability impact, or the need for confirmation before execution. In an agentic context, that omission increases the chance of accidental disruptive actions against production systems, especially because the skill is framed for broad use on any DigitalOcean request.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
97% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal