OpenClaw confluence

Security checks across malware telemetry and agentic risk

Overview

This is a broad Confluence API helper that legitimately handles credentials and powerful Confluence actions, but users should treat it as an admin-capable tool.

Install only if you intend to let an agent use your Confluence credentials for broad API access, including creating, updating, deleting, inviting users, redacting content, and admin-key actions. Use least-privilege tokens or OAuth scopes, keep the .env file out of source control, restrict file permissions, and require explicit human review before running destructive, invite, redaction, or admin-key commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill includes email-based access checking and invitation endpoints, which enable user enumeration and tenant expansion actions beyond standard document management. In an autonomous agent setting, these capabilities can be abused to probe who has access or trigger unsolicited invitations, creating privacy, governance, and social-engineering risk.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill includes email-based access checking and invitation endpoints, which enable user enumeration and tenant expansion actions beyond standard document management. In an autonomous agent setting, these capabilities can be abused to probe who has access or trigger unsolicited invitations, creating privacy, governance, and social-engineering risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This script exposes create/get/delete operations for an `/admin-key` endpoint that is unrelated to a Confluence REST API v2 integration. In the context of a skill presented as a Confluence API client, adding administrative key management is highly suspicious because it could provision or remove privileged access material outside the declared functionality, enabling unauthorized control or persistence.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file's behavior does not match the skill's stated purpose: a Confluence REST API skill should not silently include commands that create and delete an `admin-key`. This mismatch is dangerous because disguised privileged functionality can evade review, mislead operators into installing the skill, and provide a covert path to elevate access or manipulate sensitive configuration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation tells users to place sensitive credentials in environment variables or local config without any warning about secure storage, redaction, rotation, or avoiding accidental disclosure in logs and shared files. That creates a realistic risk of token leakage through shell history, checked-in config files, screenshots, or copied examples, especially in collaborative environments.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The `delete` command performs a destructive administrative action immediately with no warning, confirmation, or safety interlock. For an endpoint named `/admin-key`, accidental or scripted deletion could revoke access, break administrative workflows, or be abused to cause denial of service against whoever depends on that key.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script reads existing Confluence credentials from a user config file and writes them in plaintext into a project-local .env file. This increases credential exposure risk because .env files are commonly left with default filesystem permissions, accidentally committed to source control, or read by other local tooling without any warning or hardening.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This script issues a destructive POST to the Confluence redact endpoint based solely on command-line arguments, with no confirmation prompt, dry-run mode, or secondary safeguard. In an admin/API automation context, a mistyped ID, scripted misuse, or accidental invocation could permanently alter or remove sensitive content visibility, making the operation risky even if the code is intended for legitimate maintenance.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Including a real personal email address as an example credential value is unsafe documentation practice because it normalizes use of real identifiers in config examples and may expose personal data unnecessarily. It can also lead users to copy, echo, or retain realistic credential-like data in transcripts, configs, or logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal