ClawHub
Back to skill

Security audit

Ably Control

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for managing Ably resources, but it exposes high-impact account and credential-related actions with one clear token-disclosure concern.

Install only if you trust OOMOL with Ably Control management and are comfortable with an agent using your connected Ably account. Before use, avoid asking it to run `get_current_account` unless token output is redacted, and require explicit confirmation for app deletion, queue deletion, key creation, key updates, and key revocation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description says to use this skill for ANY Ably Control request and instead of calling the API directly, which is an overly broad routing rule. That can cause the agent to invoke a powerful skill for loosely related tasks without sufficient task-specific validation, increasing the chance of unintended reads, writes, or destructive operations.

Credential Access

High
Category
Privilege Escalation
Content
- `delete_queue` — Delete an Ably queue by queue ID. [destructive]
- `get_account_stats` — Retrieve account-level Ably statistics for the connected account or account ID.
- `get_app_stats` — Retrieve app-level Ably statistics for an Ably app.
- `get_current_account` — Retrieve the Ably Control API token, user, and account associated with the access token.
- `list_apps` — List Ably apps in the connected account or supplied account ID.
- `list_keys` — List API keys for an Ably app.
- `list_queues` — List queues for an Ably app.
Confidence
93% confidence
Finding
access token

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal