ClawHub

Metaso

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Metaso connector skill that uses the OOMOL oo CLI, with some setup and scoping cautions but no evidence of hidden or malicious behavior.

Install this only if you intend to use Metaso through OOMOL and are comfortable granting that connector access to your Metaso account. Prefer installing the oo CLI from OOMOL’s official instructions and review any create/update/delete payload before allowing the agent to run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file describes this action as 'Consume a streamed Metaso chat completion and return the ordered chunks plus aggregated assistant content,' which reads like a generation/query operation rather than a state-mutating one. The note at L25 explicitly says 'Write action. This changes Metaso state,' creating a direct documentation-level contradiction about the action's effect.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The description defines activation as "ANY Metaso request — reading, creating, and updating data," which is extremely broad and does not provide exclusion conditions or narrower trigger criteria. This can cause unintended invocation whenever a task merely mentions Metaso, rather than only when the user explicitly wants this connector used.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
90% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal