ClawHub

Roboflow

Security checks across malware telemetry and agentic risk

Overview

This Roboflow skill is mostly coherent, but it is advertised as read/search-oriented while it can run Roboflow workflows using connected credentials.

Install only if you intend to let the agent use your OOMOL-connected Roboflow account. Before running workflow or object-detection actions, confirm the exact workflow, inputs, workspace/project identifiers, expected cost/resource use, and what data will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest and description frame the skill as limited to searching and reading data, but the documented actions include workflow execution operations such as run_workflow and run_saved_workflow. That mismatch can mislead an agent or reviewer into treating the skill as read-only, increasing the chance that active operations are invoked without appropriate caution or user confirmation.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The safety section says only create/update/send/post and delete/remove actions change state, but execution actions are excluded from that warning despite potentially triggering compute jobs, downstream integrations, or other side effects. This creates an unsafe read-only framing that may cause an agent to run execution actions without recognizing their operational impact.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to use this skill for ANY Roboflow request is overly broad and lacks boundaries for sensitive, high-risk, or unsupported tasks. Broad trigger language can cause over-selection of the skill in contexts where more constrained handling, extra confirmation, or refusal logic would be appropriate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal